Phishing attacks are an extremely common way hackers can gain access to your businesses’ sensitive or confidential information. In fact, 74% of organizations in the United States experienced a successful phishing attack. Additionally, millions of harmful site warnings are being reported every month and continue to grow as we adopt digitization in today’s society.
While vishing has historically been less of a threat than phishing attacks, these have also been on the rise. 54% of organizations encountered vishing attacks (phishing by telephone), but what is the difference between phishing, smishing, and vishing attacks? The method of delivery, of course. Let’s explore some key differences between the three, and how you can protect yourself and your business.
What is Phishing?
A phishing attack is when fraudulent emails are sent to your account. These oftentimes appear to come from a reputable company. The goal of these phishing emails is to get users to click malicious links or download infected attachments – allowing hackers to steal confidential information.
Phishing attacks begin when recipients begin to trust hackers. This provides accurate information about the recipient’s company, address, or even coworkers’ names. Then they set the bait. Phishing attacks end when the hacker springs the trap.
Examples of Phishing Attacks
1. Fake Invoice Scams
The most popular type of phishing attack utilizes the fake invoice technique. Like many phishing attacks, this scam utilizes fear tactics, pressuring the recipient to submit a payment for goods or services they have never ordered or received. Finance departments are obvious targets for this kind of attack, although there are many potential victims that can be duped.
2. Email Account Upgrade Scam
Email account upgrades usually appear to come from a trusted email provider. When faced with an email like this, many people unfortunately click around on the page, leading to pages that harvest your information.
3. Google Docs Scam
This sophisticated email scam gets recipients to click its link to view a ‘document’. This then takes you to an identical version of Gmail’s login page. Once your account is selected, you are then invited to grant access to your Google account. This allows the attacker free rein.
4. Message From HR Scam
An HR email scam oftentimes uses malicious attachments or links that, once clicked, install malicious software onto your device. To avoid this, it is important to encourage your colleagues to ask HR directly whether a request for personal information is legitimate before responding.
5. Unusual Activity Scam
When users get an email stating there has been “suspicious activity on your account”, alarm bells start ringing at full pace. Due to this urgency and panic, this scam works particularly well.
6. Standard Email Phishing Scam
Email phishing is the most common form of phishing, this attack is meant to steal sensitive information via email, which appears to be sent from a legitimate organization. There is no particular target in this case, so this type of phishing attack is sent to the masses and is somewhat easier to flag due to its general messaging.
7. Malware Phishing Scam
Another popular scam that uses the same techniques as email phishing. This attack persuades its potential victim to click a link to download an attachment so malware can be installed and delivered onto a device. Some malware can evade detection because it may use the same language as existing applications. This is called macro malware.
8. Spear Phishing Scam
While standard phishing and malware scams cast a wider net, spear phishing is targeted toward high-value targets such as executives, public figures or personas, and other lucrative individuals that have sensitive information which can compromise an entire enterprise.
9. Search Engine Phishing Scam
This kind of attack is delivered through a realistic, but fraudulent website in order to steal sensitive information or direct payments. The search process may be legitimate, but the fraudulent website is used to make fake offers or messages that lure its victims into taking action.
10. Pharming Scam
This scam is a sophisticated form of phishing and involves using a domain name system (DNS). Potential victims may think that they’re visiting a legitimate website, but they are rerouted to a fake one without the user’s knowledge.
11. Clone Phishing Scam
In this type of scam, a shady actor may have compromised an existing email account. The actor will then change existing links, attachments, or other elements with malicious ones and then send them to the user’s contacts to spread the infection.
12. Business Email Compromise (BEC) Scam
Business email compromise involves phony emails appearing to come from people within or associated with an organization and urges them to take immediate action. Since this type of scam uses the company’s trustworthiness, it’s important to have a cybersecurity solution and a security awareness training program to decrease your chances of getting compromised.
What is Vishing?
Vishing utilizes phone scams to steal personal confidential information from victims. Oftentimes this is referred to as voice phishing. Cybercriminals use social engineering tactics in order to convince victims to act by giving up private information such as access to bank accounts. Vishing relies heavily on convincing victims they are doing the right thing by answering the caller. Often the caller pretends to be calling from the government, a tax department, the police, or even the victim’s bank.
Examples of Vishing Attacks
1. Wardialing
Cybercriminals use software to target specific area codes. They usually use a message involving local banks, businesses, police departments, or other organizations. When the call is answered, an automated message begins. It then urges the person to provide their full name, as well as credit card details, bank account information, mailing addresses, and even social security information.
2. VoIP
VoIP makes it simple for cybercriminals to create fake numbers and hide behind them. These numbers are difficult to track and can be used to create phone numbers that appear to be local. Some cybercriminals create VoIP numbers that appear to come from government departments, local hospitals, or even the police department.
3. Caller ID Spoofing
Caller ID spoofing is when a cybercriminal hides fake phone number/caller ID. They might list their name as Unknown or even pretend to represent an actual caller, using an ID related to the Government, Tax Department, Police, etc.
4. Dumpster Diving
A popular method of collecting phone numbers is by digging through dumpsters behind buildings such as banks, office buildings, and random organizations. Oftentimes criminals find enough information to deliver a targeted spear vishing attack toward the victim.
5. Robocall
Using computer software, this type of vishing attack uses prerecorded calls sent to every phone number in a specific location. An automated voice will ask the caller to state their name and may ask for other information to steal money or open fraudulent accounts. This type of scam has gotten so common that people hang up when they receive them.
6. Tech Support Call
This type of attack is commonly used in larger organizations. Scammers will act like the tech support department and ask for your password in order to resolve the situation. It’s important for an organization to have a set of rules so they never divulge their password under any circumstances.
7. Client Call
Scammers may pretend to be your company’s client and ask for an invoice to be paid. This type of information is usually obtained by dumpster diving. This is the reason why organizations should have a two-person approval system in place for any invoice or wire transfers to reduce fraudulent activity or attempts.
8. Voicemail Scam
Users may receive an email for a voicemail notification in regards to a messaging app they use on their smartphone. If a user isn’t capable of spotting a phishing email or link from the start, they may click on a malicious link that installs malware onto their device.
What is Smishing?
This type of attack can be easily confused with vishing attacks. Vishing attacks will come in the form of phone calls or voice mail messages, but smishing attacks will come in the form of text messages, or SMS (short service messages). Since email addresses can be longer in length and contain different characters, cybercriminals are moving their efforts to direct messaging. It’s also easier to disguise a malicious attack via messaging app because there is a higher level of trust associated with direct messages.
Examples of Smishing Attacks
1. Text Message Scam
With text messages, cybercriminals can accomplish many different things. This includes stealing personal banking information by posing as a bank representative. Messages could contain a link leading to a spoofed web page where it asks you to verify suspicious activity on your account. A toll-free number may be available to “resolve” the situation, but in reality, you may be contacting an actor posing as the bank representative.
Another example of a text messaging scam uses emotion to exploit its victim. You may be contacted by a charitable organization that’s similar to the ones you’ve donated to. The message may also leverage a current event or natural disaster. A link will then forward you to a fake website that asks for credit or wiring information to complete the transaction. This type of information could compromise your bank account.
2. Instant Messaging Scam
Instant messaging or direct messaging (DM) scams are on the rise due to the usage and dependency on social media. Private messages tend to have a higher level of trust versus other forms of phishing attacks. This is the reason why cybercriminals are trying to double down on this form of delivery.
Cybercriminals could spend months building an account to prove its authenticity and having a large network of followers and social shares can increase its validity. Long-term relationships will be made before an actor tries to ask for direct wire transfers, personal information, or gifts.
Besides cybercriminals, your network of friends and family can become an accomplice — not intentionally, but unknowingly. People have an irresistible need for participating in viral posts that require permission from third-party applications in order to share them onto their feed. While users grant permission and accept terms and conditions, the app installs and launches a malicious attack to take over an account. Once an account is compromised, a cybercriminal can act as the user and have more contacts to target.
Main Differences Between Vishing, Smishing, and Phishing
Delivery
A phishing attack, as well as a smishing attack, are targeted at a wide range of people through emails and texts. These are usually automated attacks that hit many individuals at once. Alternatively, vishing attacks are also targeted at a wide range of people, however, the method of delivery is different because vishing attacks are delivered via voice communication. This is usually a more manual attack.
Who is Staging These Attacks
Since phishing attacks target so many individuals at once, they typically have more accuracy. These criminals generally are hackers who have vast knowledge about how to get into your device. Alternatively, vishing criminals typically do not have this knowledge, and their attacks are far less accurate due to the fact that one criminal can only take out on one attack at a time.
Harvested Information
In terms of the information harvested, phishing and smishing attacks usually need the victim to click on a malicious link or download a malicious file. Vishing attacks, on the other hand, need for the victim to willfully give up their information over the phone.
How to Prevent Phishing, Smishing, and Vishing Attacks?
- Avoid clicking links from someone you don’t know. Make sure to examine each link and take note of how the URL is structured. The link should be short, and clean, contain HTTPS, and include no foreign characters to resemble letters.
- Avoid giving out personal information. Most security awareness training programs will have protocols in place as to when it’s appropriate to give out personal information or not. In most cases, there are specific steps to take, and if it’s something out of the ordinary, you should be very skeptical.
- Avoid answering spam calls or text messages. Most spam calls will show up as such on your caller ID and text messages will usually contain a shortened link with a sense of urgency. Avoid answering or responding back to these messages because interacting with them will persuade them to keep on trying.
Final Thoughts
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) warned organizations about a massive vishing campaign that is taking advantage of increased telework due to the pandemic, resulting in increased use of corporate VPNs and elimination of in-person verification. Phishing and vishing attacks are constantly on the rise, but staying vigilant can help you and your employees stay safe.
Learn more about Cyren Inbox Security for 365, and how it can help your business stop phishing attacks in their tracks.