Smishing and Vishing: Explained and Explored
Feb 18, 2021 • Security Magazine
Ransomware attacks, phishing scams, fake news and several other cyberattacks made headlines in 2020. As millions of Americans shifted to remote work for business continuity, cybercriminals sprung into action, evolving their social engineering tactics. When it comes to phishing, Verizon research shows that 85% of phishing attacks are taking place over other channels beyond just email, like messaging, gaming, social and productivity apps. Smishing and vishing are new variants that are fast gaining traction, targeting mobile phones.
Smishing is a phishing scam conducted via Short Message Service (SMS). Crafty phishers send text messages that appear from trusted senders, such as banks and online retailers. Such text messages typically contain URLs or links that trick recipients into visiting websites that download viruses and other forms of malware onto the victim’s mobile device.
The reason why smishing attacks are growing in popularity is because SMS senders are not authenticated beyond phone numbers. Recipients receiving an SMS can only, at best, assume that the phone number is from an authentic source. Even that isn’t a guarantee sometimes because many rogue applications allow senders to send SMS messages from spoofed or borrowed/shared telephone numbers.
Furthermore, SMS itself by design is unauthenticated. This means anyone can send another person an SMS message by simply knowing the recipient’s phone number. As long as the recipient hasn’t stored the sender’s number in their contact list, it will end up looking like any other text message. Additionally, URLs embedded in SMS messages are harder to inspect or verify as legitimate since most are shortened by common URL shorteners.
How Does Smishing Work?
Smishing attacks follow basic social engineering principles and typically work in two stages:
- Bait victim via an SMS: Attacker baits the victim by sending them an SMS containing a false sense of urgency. Examples include unknown service charges, erroneous bank transactions, invoices or online purchases, cash prize winnings, and suspended account reactivation notices.
- Setting the hook: The hook is usually executed via the URL embedded in the actual text message. This entraps victims through solicitation, capture of sensitive information or download of malicious software.
Vishing, a combination of “voice” and “phishing,” is a telephone version of phishing. This technique uses a spoofed caller ID that can make attacks look like they originate from a known number or perhaps an 800-number that might compel someone to answer the phone. Usage of VoIP technology is fairly common in vishing attacks including services like Skype and Zoom.
Vishing attacks are on the rise. This is because commercial and residential VoIP users are not required to provide valid caller ID data, which makes it ideal for committing fraud. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued alerts recently to warn users against the growing threat of vishing attacks. The alert also stated that organized crime rings are compiling dossiers on employees at target companies by scraping information off their public profiles on social media, recruiter tools, open-source research and publicly available background check services. Using this data, attackers initiate contact with targets, often masquerading as someone trustworthy. Since the targets do not have time to think the situation through or verify the identity of the attacker, they usually end up falling victim by revealing sensitive information.
Potential consequences of vishing attacks include eavesdropping, unauthorized access to billing or credit card information, voicemail overloading (or junk voicemails), and phone number harvesting (method to collect valid phone numbers).
How Does Vishing Work?
Vishing is nearly identical to other forms of phishing; it’s mainly the delivery mechanism that’s different; in this case, voice-based telephony.
- Bait the victims via a call: Scammers start by spoofing their caller ID, so they appear to be calling from a local area code or a trusted business. Emotional appeals, sense of urgency, and timing work exactly the same way as other forms of phishing.
- Setting the hook: Attackers may use callback numbers and automated recordings as the hook. Victims take the bait, dial the callback number, listen to the recording, and reveal sensitive or personal information. Large-scale operations could go to the extent of employing an answering service or a call center to emulate a trusted source.
How You Can Stay Protected
Combating online scams is a joint responsibility for both governments and citizens alike. While international governments are tightening their grip on scammers — Interpol recently cracked down on almost 20,000 scammers associated with smishing and vishing — responsible parties must exercise caution and steer clear from smishing and vishing scams:
- Use common sense: Stop and think before taking action. Limit your online profile and do not share sensitive information like phone numbers on public platforms.
- Trust no one: Do not click, call back or download from any SMS links. Don’t fill out forms or provide credit card numbers without proper validation.
- Don’t Call Unknown Phone Numbers: Calling back gives attackers your phone number. Once a scammer has your number, you could end up getting several rogue SMS messages and malicious voice phone calls.
- Ignore and flag suspicious texts and calls: Any unexpected text or call requesting an action should be regarded as suspicious unless proven legitimate. Remember that caller IDs can be faked.
- Raise security awareness in your business: Using phishing simulation exercises, train your staff to recognize scams and help protect your business, employees, partners and customers from fraud.
- Report: The Federal Trade Commission makes it easy to report telephone scams.