Smishing and Vishing: What You Need to Know About These Phishing Attacks

  • 10 August 2020

Whether or not you’re familiar with the terms “smishing” and “vishing,” you may have been targeted by these attacks. This article will:

  • Explain what smishing and vishing attacks are, and how they relate to phishing
  • Provide examples of each type of attack alongside tips on how to identify them
  • Discuss what you should do if you’re targeted by a smishing or vishing attack

Smishing, Vishing, and Phishing

Smishing and vishing are two types of phishing attacks, sometimes called “social engineering attacks.” While 96% of phishing attacks arrive via email, hackers can also use social media channels. Regardless of how the attack is delivered, the message will appear to come from a trusted sender and may ask the recipient to:

  • Follow a link, either to download a file or to submit personal information
  • Reply to the message with personal or sensitive information
  • Carry out an action such as purchasing vouchers or transferring funds

Types of phishing include “spear phishing,” where specific individuals are targeted by name, and “whaling,” where high-profile individuals such as CEOs or public officials are targeted.

All these hallmarks of phishing can also be present in smishing and vishing attacks.

What Is Smishing?

Smishing — or “SMS phishing” — is phishing via SMS (text messages). The victim of a smishing attack receives a text message, supposedly from a trusted source, that aims to solicit their personal information.

These messages often contain a link (generally a shortened URL) and, like other phishing attacks, they’ll encourage the recipient to take some “urgent” action, for example:

  • Claiming a prize
  • Claiming a tax refund
  • Locking their online banking account

Example of a Smishing Attack

Just like phishing via email, the rates of smishing continue to rise year-on-year. According to Consumer Reports, the Federal Trade Commission (FCC) received 93,331 complaints about spam or fraudulent text messages in 2018 — an increase of 30% from 2017.

Here’s an example of a smishing message:

The message above appears to be from the Driver and Vehicle Licensing Agency (DVLA) and invites the recipient to visit a link. Note that the link appears to lead to a legitimate website — gov.uk is a UK government-owned domain.

The use of a legitimate-looking URL is an excellent example of the increasingly sophisticated methods that smishing attackers use to trick unsuspecting people into falling for their scams.

How to Identify a Smishing Attack

As we’ve said, cybercriminals are using increasingly sophisticated methods to make their messages as believable as possible. That’s why many thousands of people fall for smishing scams every year.

In fact, according to a study carried out by Lloyds TSB, participants were shown 20 emails and texts, half of which were inauthentic. Only 18% of participants correctly identified all of the fakes. So, what should you look for?

Just like a phishing attack via email, a smishing message will generally:

  • Convey a sense of urgency
  • Contain a link (even if the link appears legitimate, like in the example above)
  • Contain a request personal information

Other clues that a message might be from a hacker include the phone number it comes from (large institutions like banks will generally send text messages from short-code numbers, while smishing texts often come from “regular” 11-digit mobile numbers) and may contain typos.

If you’re looking for more examples of phishing attacks (which might help you spot attacks delivered via text message) check out these articles:

How to Identify and Prevent Phishing Attacks

How to Catch a Phish: A Closer Look at Email Impersonation

Phishing vs. Spear Phishing: Differences and Defense Strategies 

COVID-19: Real-Life Examples of Opportunistic Phishing Emails

What Is Vishing?

Vishing — or “voice phishing” — is phishing via phone call. Vishing scams commonly use Voice over IP (VoIP) technology.

Like targets of other types of phishing attacks, the victim of a vishing attack will receive a phone call (or a voicemail) from a scammer, pretending to be a trusted person who’s attempting to elicit personal information such as credit card or login details.

So, how do hackers pull this off? They use a range of advanced techniques, including:

  • Faking caller ID, so it appears that the call is coming from a trusted number
  • Utilizing “war dialers” to call large numbers of people en masse
  • Using synthetic speech and automated call processes

A vishing scam often starts with an automated message, telling the recipient that they are the victim of identity fraud. The message requests that the recipient calls a specific number. When doing so, they are asked to disclose personal information. Hackers then may use the information themselves to gain access to other accounts or sell the information on the Dark Web. 

The Latest Vishing News: Updated August 2020

On August 20, 2020, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint statement warning businesses about an ongoing vishing campaign.

The agencies warn that cybercriminals have been exploiting remote-working arrangements throughout the COVID-19 pandemic. 

The scam involves spoofing login pages for corporate Virtual Private Networks (VPNs), so as to steal employees’ credentials. These credentials can be used to obtain additional personal information about the employee.

The attackers then use unattributed VoIP numbers to call employees on their personal mobile phones. The attackers pose as IT helpdesk agents, and use a fake verification process using stolen credentials to earn the employee’s trust.

The FBI and CISA recommend several steps to help avoid falling victim to this scam, including restricting VPN connections to managed devices, improving 2-Step Authentication processes, and using an authentication process for employee-to-employee phone communications.

Example of a Vishing Attack

Again, just like phishing via email and smishing, the rates of vishing attacks are continually rising. According to one report, 49% of organizations surveyed were victims of a vishing attack in 2018. 

Vishing made headlines most recently in July 2020 after the Twitter scam. After a vishing attack, high-profile users had their accounts hacked, and sent out tweets encouraging their followers to donate Bitcoin to a specific cryptocurrency wallet, supposedly in the name of charitable giving or COVID-19 relief.

This vishing attack involved Twitter employees being manipulated, via phone, into providing access to internal tools that allowed the attackers to gain control over Twitter accounts, including those of Bill Gates, Joe Biden, and Kanye West.

This is an example of spear phishing, conducted using vishing as an entry-point. It’s believed that the perpetrators earned at least $100,000 in Bitcoin before Twitter could contain the attack.

You can read more cybersecurity headlines from the last month here

How to Identify a Vishing Attack

Vishing attacks share many of the same hallmarks as smishing attacks. In addition to these indicators, we can categorize vishing attacks according to the person the attacker is impersonating:

  • Businesses or charities — Such scam calls may inform you that you have won a prize, present you with you an investment opportunity, or attempt to elicit a charitable donation. If it sounds too good to be true, it probably is.
  • Banks — Banking phone scams will usually incite alarm by informing you about suspicious activity on your account. Always remember that banks will never ask you to confirm your full card number over the phone.
  • Government institutions — These calls may claim that you are owed a tax refund or required to pay a fine. They may even threaten legal action if you do not respond. 
  • Tech support — Posing as an IT technician, an attacker may claim your computer is infected with a virus. You may be asked to download software (which will usually be some form of malware or spyware) or allow the attacker to take remote control of your computer.

How to Prevent Smishing and Vishing Attacks

The key to preventing smishing and vishing attacks is security training

While individuals can find resources online, employers should be providing all employees with IT security training. It’s actually a requirement of data security laws, such as the General Data Protection Regulation (GDPR) and the New York SHIELD Act. You can read more about how compliance standards affect cybersecurity on our compliance hub

Training can help ensure all employees are familiar with the common signs of smishing and vishing attacks which could reduce the possibility that they will fall victim to such an attack.

But, what do you do if you receive a suspicious message? The first rule is: don’t respond. 

If you receive a text requesting that you follow a link, or a phone message requesting that you call a number or divulge personal information — ignore it, at least until you’ve confirmed whether or not it’s legitimate. The message itself can’t hurt them, but acting on it can. 

If the message appears to be from a trusted institution, search for their phone number and call the institution directly. For example, if a message appears to be from your phone provider, search for your phone provider’s customer service number and discuss the request directly with the operator.  

If you receive a vishing or smishing message at work or on a work device, make sure you report it to your IT or security team. If you’re on a personal device, you should report significant smishing and vishing attacks to the relevant authorities in your country, such as the Federal Communications Commission (FCC) or Information Commissioner’s Office (ICO). 

For more tips on how to identify and prevent phishing attacks, including vishing and smishing, follow Tessian on LinkedIn or subscribe to our monthly newsletter