Ask The Expert: Vishing, Phishing, Smishing – What You Need to Know
It might be tough to keep track of all the different terms for cyber scams these days. First “phishing” was the term for email scams impersonating companies and other entities in attempts to gain personal information. Now, terms like vishing, smishing, pharming and even quishing are being thrown around. Here’s an overview of what they all mean.
Vishing vs Phishing & Other Attacks
Vishing is a lot like phishing, just with a different approach. Phishing involves scammers impersonating a business, colleague, or even a boss over email in an attempt to trick you into sending your personal information to them. Vishing is similar, as attackers will use fraudulent phone calls to do the same thing.
Smishing
This kind of attack is slightly different, whereas scammers send texts and messages via different apps pretending to be someone else, hiding their real phone numbers.
Quishing
As another variation of the same kind of attack, quishing refers to scams that trick victims into scanning QR codes that lead to sketchy websites via their mobile phones. Once there, the websites may inject malware or steal personal information from victims.
Pharming
This is when cyber criminals create a fake website mimicking an existing business in order to get victims to enter personal information and click on links containing malware. For example, hackers will target a specific business and redirect their customers to a fake version of their real website, so users plug in their passwords and other sensitive information. Then, hackers can steal money, inject malware and create all sorts of other havoc.
Common Traits of Vishing Attacks
Vishing scams often come in the form of automated “shotgun attacks”, which go after a large number of phone numbers in hopes that a few will bite. Scammers will leave voice messages prompting victims to call them back. These callers will attempt to manipulate victims by convincing them that they will face fines, criminal charges, or other account losses if they don’t follow the given instructions.
Wardialing & Caller ID Spoofing
“Wardialing” is a technique used in vishing when scammers target a certain area code and use the names of local banks, businesses, police departments, and other entities to seem legitimate. When calling victims, attackers will also use VoIP applications to generate fake phone numbers to match your area code as another way to seem real.
Another method of creating a false sense of legitimacy is Caller ID spoofing, where scammers change their caller ID to something like “Unknown” or “Tax Department” to throw off suspicion.
AI Voice Impersonation
AI can now be used to create realistic voices that scammers will play over the phone. This makes their schemes even more believable to unsuspecting victims, since it can be difficult to tell the difference between a real person and an AI-generated voice.
How to Avoid Falling Victim to Vishing Scams
The biggest liability you’ll face when dealing with vishing, phishing and other scams: people. This is true for all cybersecurity, that human error poses a huge risk. Since attackers will rely on the assumption that you or your staff are unaware of what to look for in potential scams, its crucial that you set up effective training to educate them.
Vishing Training
Staff training on how to spot should happen at least yearly, with consumable and interactive modules that your staff will be able to understand. Many outsourced IT services will implement these for you, and they can even tell you how successful it was with metrics like what percentage of your staff participates.
Multi-Factor Authentication (MFA)
Multi factor authentication(MFA) refers to using two or more methods of verification to verify user identity. This simple step can prevent unauthorized access, by requiring users to use "something they have, and something they own" for clearance to access the network.
This will typically look like an authentication app on another device, a PIN or link texted or emailed to a separate number or account, or simply clicking "verify identity" in a separate email.
Strong Passwords & Resets
Requiring users to have strong, unique passwords is a great way to help prevent hackers from guessing or using stolen credentials to access your network.
Strong passwords should:
- Have 8-12 characters
- Feature special characters and/or numbers
- Exclude any family names or words that can be guessed easily from information found online
- Be reset often to prevent stolen passwords from being plugged in
Passwords and other credentials might have already been compromised on the dark web. The business of cybercrime is a growing concern for cybersecurity, as cybercriminals will post stolen information on the dark web to buy or sell.
Zero Trust Architecture
Zero Trust is the assumption that all users and programs are suspicious until deemed safe by your IT team. These tools will block downloads from unknown sites or apps, leverage admin controls to prevent any unauthorized individuals from accessing sensitive information, and much more.
Learn more about Zero Trust and the important of user authentication in our blog: Why Zero Trust is a Must to Combat Shadow IT, Zero Day Attacks, & More.
Learn more about Email Safety
Read more about how to train employees on cybersecurity awareness in our blog:Top 6 Email Security Tips. To learn more about cybersecurity best practices, check out our exclusive Cybersecurity Essentials PDF to see a step-by-step guide to securing your network.
How to Implement a Secure Email Strategy
To incorporate adequate training as well as crucial cybersecurity tools into your work culture, it's wise to partner with a managed service provider (MSP) with the tools to help you succeed. Learn more about what to look for in an MSP in our blog: 10 Questions to Ask Before Committing to a Managed Services Provider.
To speak with an experienced cybersecurity expert about your business, click the button below to get started.