December 14, 2021

Smishing, vishing, phishing – here's what to look out for!



You may have heard of phishing, but have you heard of smishing and vishing? Here’s a brief summary of what each term refers to, and how you can keep yourself and your business safe from these kinds of cyber attacks.

What is phishing?

Phishing is a popular cyber crime technique typically performed by sending deceptive emails, but in some cases, it’s the use of well-crafted copies of popular websites to steal confidential personal and corporate information.

Victims are tricked into giving up personal information such as their address, date of birth, name and other personally identifiable information. Cyber criminals use this information to impersonate the victim – applying for credit cards, opening bank accounts, applying for loans, and committing other fraudulent activities. The most popular use cases for phishing emails are to infiltrate a business by installing malicious software or code on a user's computer. Once a foothold has been gained, the attackers typically try to gain domain admin-level privileges in the environment.

An example of a phishing email

Watch out for errors, the sender email address, inconsistent spellings etc. Have a go at our short quiz to see if you can spot the differences.  

Good actions to take:

  • Recognise times when you may be more vulnerable, e.g., on weekends, when you're tired, when checking email via your phone. Be extra cautious at these times.
  • Report anything that doesn't look right to your IT/security team.
  • Don't click the links if you're unsure.
  • Don't give out any personally identifiable info/bank details.
  • Check with the real sender (if you know who they are) whether they sent this email.

What is vishing?

Vishing is typically a social engineering technique that uses phone calls to gather personal confidential information from victims. Often referred to as voice phishing, cyber criminals use savvy social engineering tactics to convince victims to act, giving up private information and access to bank accounts.

Like phishing or smishing, vishing relies on convincing victims that they are doing the right thing by responding to the caller. Often the caller will pretend to be calling from the government, tax department, police, or the victim’s bank.

Cyber criminals use threats and convincing language to make victims feel as though they have no other option than to provide the information being asked of them. Some cyber criminals use strong and forceful language, and others suggest they are helping the victim to avoid criminal charges. A second and common tactic is to leave threatening voicemails that tell the recipient to call back immediately, or they risk being arrested, having bank accounts shut down, or worse.

Example of a vishing attempt

  • A phone call from "Sarah" @ "A-DistributionCompany" came into reception for a staff member “Tom” (no last name given), regarding a package to be delivered.
  • The message was passed to someone called Tom, who called back to find out more information.
  • Sarah didn’t want to speak immediately and couldn’t wait to get off the phone. She called back a few minutes later, claiming she was in the A-DistributionCompany warehouse and had 4 pieces of carpet from the company, "Carpets From Overseas" waiting to be delivered that couldn’t due to the office being closed.
  • When Tom asked for the package to be re-directed, Sarah said she would have to go back to the supplier.[KF1] [GW2] 

Fast forward to the next day, and there's a missed call and new voicemail from "Nigel" @ A-DistributionCompany.

  • Nigel was claiming that the case had been escalated to him. He asked for payment in order to redirect the package.
  • Instead of calling Nigel back, Tom called the official number for A-DistributionCompany to determine if there was a package that needed to be delivered. It turns out that there is no package.

Good actions to take:

  • Ask questions.
  • Verify with a well-documented phone number for that organisation, e.g. via their corporate website, Google business listing.
  • Don’t give out any personally identifiable information.
  • Don’t get caught up with the excitement of a delivery – be suspicious!

What is smishing?

Smishing is sending manipulative text messages to steal confidential personal and corporate information from people.

Cyber criminals send carefully worded text messages to the victim, urging the victim to respond or to take further action. The text message might ask the victim to click a link to find out more information about a delivery.

The ultimate goal of any smishing tactic is the same – to compromise people by stealing confidential information.

An example of smishing

Good actions to take:

  • Again, don’t get caught up with the excitement of a delivery – be suspicious.
  • Don't hand out any personally identifiable information/bank details. It's unlikely that you'd ever be asked to pay this via a text message.
  • Verify the delivery directly with the courier company (if known). Use a number or contact information from their legitimate website.

In conclusion, if you think you’re a target of the -ishings

  1. Do not provide any information. Don’t be scared to ignore, delete, or hang up. If it’s a serious claim, they’ll find another way to contact you.
  2. If you suspect you're a target, report to your IT or security department. Better to be safe than sorry.
  3. Talk to us if you're worried about your business becoming a target. We can put the right technologies in place to reduce the likelihood of it happening.

Get in touch