Phishing, Vishing and Smishing: What’s the Difference?
To the untrained eye, these words may appear to be gibberish, but they represent cyber threats that can be highly devastating. In fact, each and every one of you reading this has most certainly been impacted in some way by one or more of them.
Let’s take a closer look at each of these cyber dangers and identify the significant differences…
So, you’ve most likely heard of phishing. Consider Nigerian princes and HMRC suits. Check your junk folder right now; you’ll probably find enough spam emails to fill a library!
Phishing is commonly connected with fraudulent emails, in which an unsuspecting victim is targeted by an email seeming to be from a trustworthy source but actually attempting to obtain sensitive information or install malware into the victim’s devices.
Phishing is a sort of social engineering attack, which is defined as psychologically manipulating someone into doing or exposing something.
These attack methods are commonly used by hackers because they are simple to set up and rely on human error. People are generally simpler to deceive than system or network defences.
It’s no surprise that phishing is involved in 83% of cyber attacks.
Phishing attempts are becoming more complex, and given that the recipient is generally a busy employee juggling multiple tasks at once, it’s understandable that so many people get misled by these devious emails.
Hackers are skilled at effectively masquerading themselves as a corporation or somebody you would ordinarily trust, especially if they already have information about you.
In 2020, the top firms from which phishing emails were sent included PayPal, Microsoft, and Facebook – these are brands we use every day, so we’re unlikely to be suspicious at first when an email appears to be done up in all the appropriate ways.
With the rise of remote working during the course of the Pandemic, the threat has grown even more acute. During this time, email scams increased by 220%.
This is most likely due to a combination of factors. When we are at home in a familiar and comfortable atmosphere, we are more likely to be less watchful, possibly even using work devices for personal use, which increases the cyber risk. Without corporate oversight and control over each employee’s activity, it is entirely the individual’s obligation to be extra cautious when it comes to email conversations.
Because there is no way to receive a second opinion from the person next to you in the office, it is quite likely that an employee may click on or respond to a phishing email if sufficient cyber security training is not provided.
So how do you spot a phishing email?
If you look closely, there are some tell-tale symptoms of a phishing email and obviously best practises to follow if you want to do your part as a corporate employee.
There are frequently issues with sender names, emails, or domains. Even if only one character is changed, it can appear quite normal when scanned, but remember to examine a little closer if it’s not the email you expected.
Because hackers aren’t the finest spellers, any errors in the email copy could indicate anything suspect. Also, if the phrases sound urgent and ask you to do something, take a second to double-check with the company or people from whom the email claims to be sent.
This is especially important in cases of business email compromise, where the email appears to have been sent from your colleague’s or boss’s account but was actually sent by a hacker.
It may seem strange to query a colleague’s email request, especially if it is from someone higher up, but if they are requesting sensitive information or the transfer of dollars, it is always prudent to be certain.
Vishing is an abbreviated name for ‘Voice Phishing’.
Phone calls or voice messages with similar goals to phishing – tricking someone into disclosing sensitive information or finances. No, the person who coined the term “Vishing” was not extremely inventive.
Phone fraud has historically been incredibly profitable for hackers; an upsurge in vishing attacks in 2014 cost UK consumers over £23.9 million.
Phone scammers, like phishing emails, will frequently call and pretend to be from a respectable company. They may pose as a bank, accusing you of fraud and demanding your personal information in order to clear it.
When it’s a phone call, it can be much more distressing, especially if the person on the other end is being told they’ve done something wrong. We are more inclined to make mistakes in times of high emotion, which is exactly what the scammer is hoping for.
How do vishing hackers get my number?
Consider this. You receive an unusual call in the middle of the afternoon from someone saying that your computer need more software to be installed or it would be susceptible.
Hopefully, you’ll realise that this isn’t a well-meaning do-gooder and that they’re probably trying to persuade you to install malware on your systems, but you’ll still furiously hang up the phone, asking, ‘how did they even obtain my number?!’.
Hackers can find phone numbers in a variety of methods, but the Dark Web is the greatest place to look for data. Hackers can obtain all types of personal information, including phone numbers, and are a veritable gold mine of information.
Common scams and how to spot them
Most vishing scams involve a hacker acting as someone from your bank or HMRC and informing you that there is a problem with your account or tax returns. They may require you to verify your account by entering login information, but this should always be the first red flag.
Some may even offer you information they already have on you to prove their legitimacy, but don’t be fooled. If you make touch with these persons and they ask for personal information, always hang up and investigate the case yourself.
Smishing is the last item on the list. Smishing occurs when a text message, or SMS, is sent to someone asking personal or financial information.
With over 55.5 million people in the UK possessing smartphones, it’s no surprise that this is a popular entrance point for hackers and scammers. Phone numbers are typically easier for hackers to discover than emails, which is why smishing assaults are on the rise – we witnessed a 700% spike in smishing reports in the first half of 2021 alone.
While most people are aware of the hazards of phishing emails and know what to watch for, it is less common on your phone, making it easier to miss the symptoms. Take into account how many mobile phone users are constantly on the move and in a hurry, so it’s easy for someone to click on a bogus text when it arrives before you’ve even had a chance to think.
Hackers targeting your mobile device, similar to phishing, may be aiming to get you to install malware or steal your personal data by tricking you into entering information on a bogus site and sending it directly back to the hacker.
As more corporate employees use their own mobile devices at work, smishing may be as big of a business threat as it is to an individual consumer, so knowing how to recognise it and what to do about it is critical.
Protecting against smishing attacks
In general, you should never respond to a text if you don’t recognise the sender. Banks should never request information through text or instruct you to change your account information. If there is a link, it is most certainly fraudulent, and you should notify your bank immediately.
If you believe you have responded to a phishing text or provided personal information, notify your bank.
Many people also prefer to make their phone number unlisted in order to make it more difficult for hackers to obtain it in the first place.
The bulk of cyber attacks succeed because they utilise social deception, frequently playing on emotions, to catch someone off guard, and phishing, smishing, and vishing are prime instances of this. The best way to be safe is to be aware of these many types of attacks, especially as they evolve, and to know how to respond appropriately to them.
The most effective approach is to just ignore anything that doesn’t feel quite right, and to never give out personal information until you have properly established the authenticity of that communication.