All social engineering attacks use deception to trick their victims into performing an action– such as transferring funds, paying fraudulent invoices, or sharing credentials. These attacks will often include similar social engineering techniques, such as:
- Urgency: the action needs to be performed immediately, as the longer the victim has to think, the more time they have to question whether this is a legitimate request
- Plausibility: if a request is close to something an employee does every day or related to a trending topic, they’re more likely to do it in autopilot
- Familiarity There’s been a marked rise in impersonation attacks that are at least partially tailored to the target – often claiming to be from an authority figure, such as a CEO, or a trusted source like a bank or government department
- Confidentiality: The action required is specific to the victim and needs to be done by them alone, as getting someone else involved increases the chances of the attack being detected
(If you’d like to learn more about social engineering, take a read of our article ‘ How do social engineering attacks work? ’.)
While these attacks may include similar techniques, the vector used for the attack can differ – whether that’s email (phishing), SMS (smishing), or phone (vishing).
Email is the vector that originally gave rise to the term ‘phishing’, although you might hear it used as an umbrella term for smishing, vishing, quishing, and other cyberattacks. Additionally, particularly when targeting professionals and the organizations they work at, email remains the most-used vector with the highest volume of attacks.
Smishing, vishing, and quishing attacks, however, have increased in volume in recent years, targeting people at home (for example through banking “scams” where the criminal impersonates the bank and requests funds to be transferred to a different account) and at work.
What is phishing?
Phishing is when cybercriminals use email to contact victims and trick them into performing an action. This might be clicking on a malicious URL, opening a malicious attachment, paying a fraudulent invoice, or even sharing credentials by replying to the email.
Increasingly, cybercriminals are engineering their phishing attacks to get through the traditional signature-based detection used by Microsoft 365’s native security and secure email gateways (SEG). To combat these advanced attacks, integrated cloud email security (ICES) solutions such as Egress Defend offer intelligent detection capability and real-time teachable moments within a person’s inbox for tangible risk reduction.
The rest of this article will focus on smishing and vishing attacks in more detail, but if you take a read of Ultimate Guide to Phishing you can find the answers to questions like ‘ What is phishing? ’.
What is smishing?
Smishing is the use of SMS sent to a mobile phone as part of a cyberattack. The name comes from the first two letters of ‘SMS’, combined with the ‘ishing’ part of ‘phishing’.
The victim of a smishing attack will receive a text message that impersonates a trusted source, such as a bank or financial services provider, government department, mail delivery service, colleague, or relative. Sometimes the unrecognized number is visible in these messages, but display names can also be spoofed to make the texts appear authentic.
Common topics used in these attacks include telling people they need to stop unauthorized payments or that they have been locked out of their bank account, need to reschedule a delivery, or a payment needs to be made to a colleague, supplier, or relative.
How does smishing work?
Smishing attacks are text-based and therefore very similar to phishing attacks. The cybercriminal can use different tactics to try to provoke the response they want. Ultimately, however, the cybercriminal will ask the target to perform a certain action – whether making a payment or clicking a hyperlink to a phishing website.
The attacker may run ‘scouting’ attacks, with the first message(s) appearing benign – such as identifying themselves as the impersonated person or entity. Scouting can be used to alert the cybercriminal to whether the number is active and the recipient is a good target for an attack. For example, if the recipient replies to a message impersonating a colleague or supplier claiming to be using a new or different number, the cybercriminal may feel increased confidence that their attack is going to be a success.
Smishing messages can also be combined with other attack vectors to increase the chances of success. If a cybercriminal has someone’s email address as well as their phone number, they could send a similar message in a phishing email. Or they could use the mobile phone they have to call the victim. These steps make an attack more complex and require additional resources from the cybercriminal, but they also make it appear more credible and become harder for someone to spot.
Businesses and consumers under attack from smishing
With the rise in the usage of mobile phones, legitimate organizations have adopted SMS as a means of communication. Cybercriminals rely on people being familiar with SMS use in ‘formal’ communications (versus simply using it to stay in contact with family and friends). At the same time, the prevalence of mobile phones creates a significantly larger pool of potential targets, increasing the chances that someone will fall victim to an attack.
In the FBI’s Internet Crime Complaint Center’s (IC3) 2021 Crime Types report (published in 2022), they group smishing in the same category as vishing and pharming. Together, these attacks have almost four times as many victims as the second-highest category (non-payment/non-delivery) and cost over $44.2m.
The increased use of work-issued mobile devices and BYOD (bring your own device) to support hybrid working makes smishing a growing concern for organizations.
How to stop smishing
These messages can be hard to block. Phone numbers can be leaked in data dumps from previous breaches, scraped from legitimate online sources, or even guessed by cybercriminals. At the same time, cybercriminals can easily change the numbers they send their attacks from, so even if the recipient blocks one number, it doesn’t guarantee they won’t be targeted by the same cybercriminal again.
Consequently, awareness is key for reducing the risk from smishing attacks. Some good advice to give includes:
- Commonly impersonated organizations like banks and delivery services never ask for personal information via SMS text message (in an effort to combat smishing attacks)
- Almost every organization will publish communication guidelines on their websites – if the recipient is unsure, they can check what information might be sent via SMS text message
- Don’t click on hyperlinks sent from unknown or unusual sources – always navigate to the legitimate site via typing known URLs directly into your browser or via a search engine
- Contact the sender another way to check any link, request, or other information is legitimate
Similar to other social engineering attacks, smishing attacks can often use tactics designed to make people act quickly – so slowing down and verifying information is always recommended.
What is vishing?
Vishing is the use of phone calls to trick victims into taking a certain action, like transferring funds or sharing credentials. The phone calls can be a live conversation between the cybercriminal and their victim, or they can be an automated message that provides instructions (sometimes asking the victim to call the cybercriminal back).
Like phishing and smishing, vishing is classed as a type of cybercrime, and similar to smishing and many advanced phishing attacks, it usually relies on some form of impersonation.
The word ‘vishing’ is a shortening of the phrase ‘voice phishing’.
How does vishing work?
Like phishing and smishing, the goal of a vishing attack is to trick someone into performing an action or giving up valuable information, for example, transferring money into a bank account controlled by the cybercriminal or asking the target to ‘verify’ certain private details that will be used to commit identity fraud. The attacker might also make voice calls in combination with another scam, like encouraging you to click on a link in a phishing email or smishing text.
Usually, the caller IDs used to make these calls will either be kept private or spoofed to look like legitimate ones. Alternatively, cybercriminals can hide their identities using VoIP (the method used to make calls over the internet), which simplifies the creation of fake phone numbers and even realistic spoofs of a local number or a police, government, or hospital department. The criminal gangs behind vishing attacks often don’t just call random numbers. They’ll research victims and may even ‘warm them up’ with phishing emails or smishing texts to see which targets respond. If someone seems responsive and pliable over text or email, they’re probably a good target for a vishing attack too. The target might also be more receptive to the phone call if they have received other communications referencing it.
Cybercriminals may also choose to target vulnerable people and use persuasive or threatening language to try to convince them to take action. They’ll usually attempt to persuade the victim they’re doing them a favor or helping them in some way – for example: “We need this information now or your bank account will be closed.”
A real-life example of a vishing attack
Unlike phishing and smishing, it can be harder to impersonate a known contact via vishing – as they can obviously hear the person’s voice to whether it’s really them. For example, a call from your CEO would be less effective than a phishing email if you know the voice is wrong.
However, cybercriminals have found several ways around this. AI technology can now be used to impersonate known contacts in highly targeted attacks as part of deepfake phishing. In a high-profile case, AI was used to mimic the voice of a German conglomerate’s CEO and trick an employee at another business into transferring funds to the wrong bank account. Cybercriminals managed to steal almost $250,000 from a U.K.-based energy company with the attack. Afterwards, the victim said it sounded just like the CEO, even down to his accent.
It’s also worth noting that remote and hybrid working has increased the risk for organizations. With employees spending less time in offices and relying more heavily on email and chat to communicate, they can be less familiar with their colleagues. As a result, some vishing attacks are seeing greater success, such as impersonating internal IT helpdesks to ask victims for their credentials, with targets fooled into thinking they’re talking to a colleague they haven’t spoken to in person or via phone/video calls before.
How to stop vishing attacks
As mentioned earlier in this article, phone numbers (both mobile and landline) can be included in data dumps from previous breaches, found online/offline through legitimate means, or guessed at by the cybercriminal. Increasingly, apps, platforms, and companies request people’s phone numbers when they sign up to use them or purchase goods and services – which can be leaked if the company has a data breach. Similar to smishing attacks, people are issued with work phones or bring their own devices to work, which means that regardless of the device someone is using when they’re targeted by a vishing attack there is a significant risk to organizations.
Again, like smishing attacks, it’s difficult to simply ‘stop’ vishing outright – the cybercriminal can simply contact them using a different number or platform.
Organizations can focus on awareness to help people prepare for these attacks, including offering the following advice:
- Never give out personal information (like bank details or system credentials) over the phone
- Be wary of unusual and urgent requests, especially if they’re accompanied by threats
- Add phone numbers to the ‘do not call’ registry, which companies will be regulated to respect – although, be aware that they may still contact you if they have a legitimate reason to (for example, in relation to products or services you’ve bought), so this is something cybercriminals can take advantage of
- Listen for unexpected language or tone, such as a representative from a bank behaving informally
- Check the request another way – if you’re not sure, then use a search engine or other source to find alternative contact details and call back (financial institutions will actively encourage this behavior)
Organizations can also use anti-phishing software. If the vishing attack is the second step in a campaign that also includes scouting via phishing emails, then detecting this early in the attack’s kill chain will better prepare your organization.
You can find more advice on dealing with phishing here. Or if you’d like to protect yourself against the most advanced threats today, you can learn more about Egress Defend or request a free product demo.