Attackers Are Getting Smarter: What You Need To Know About Smishing and Vishing
Phishing attacks have been around for years, but attackers are getting smarter. They’re now using new methods like smishing and vishing to try and steal your information. In this blog post, we'll discuss what these attacks are, how they work, and what you can do to protect yourself. We'll also talk about whaling, a more sophisticated type of phishing attack that targets high-value individuals and organizations.
What is smishing?
Smishing is a type of phishing attack that uses SMS text messages to trick victims into giving up personal information or downloading malware. The attacker will usually pose as a legitimate organization like a bank or government agency and send an official-looking text message. This message will often include a sense of urgency, such as a request to update your account information by a certain deadline or a warning about suspicious activity. If you click on the link in the text message, you'll be taken to a fake website that looks identical to the real thing. Once you enter your personal information, the attacker will have access to your accounts.
What is vishing?
Vishing is another type of phishing attack, but instead of using text messages, the attacker will use Voice over IP (VoIP) technology to place a phone call. The caller will often pose as a legitimate organization and try to trick you into giving them personal information or downloading malware. They may also try to get you to transfer money to an account that they control.
What is whaling?
Whaling is a more sophisticated type of phishing attack that targets high-value individuals like C-suite executives. The attacker will send a personalized email to their target, often using information that they’ve gathered from social media or other public sources. For instance, the email might include details about the target’s job title or be engineered to look like it was sent by a friend, trusted business, or other legitimate source.
Whaling attacks may also include a sense of urgency, often alerting targets that there’s been suspicious activity on an account or that they need to update their information immediately. If the target clicks on the link in the email, they’ll be taken to a fake website that looks identical to the real thing. Once they enter their personal information, the attacker will have access to their account.
With so much information available online, whaling attacks can get very personal. Attackers may know, for instance, that you have a Chase credit card and contact you pretending that they’re with Chase Bank’s fraud department and noticed some unusual activity on your account.
When you receive unsolicited inbound contact, the safest thing to do is get a reference or case number, then contact the company via the info on the company’s own website. That way, you know you're talking to an authorized individual.
Our experience with reverse whaling
At ShardSecure, we’ve had a number of attempted whaling attacks recently. Yes, us specifically. These attacks have been a kind of reverse whaling, but over SMS. They go like this:
The attacker does research to find out information about us, including some names, phone numbers, and titles. They then target one of our employees over SMS and say, hey, this is your CEO, Bob Lam. I’m in a meeting now and about to close a deal, but I need some gift cards and don't have time to explain. Go to the nearest store, buy some gift cards, and send me the pics. The company will reimburse you later, but I need these immediately — I’m sitting with the customers now.
Luckily, our team knows not to respond to this kind of message, but with these attacks becoming more and more common, not all organizations are so lucky. (I mentioned our reverse whaling recently on a security forum and a bunch of people said they are seeing the same thing.)
How can you protect yourself from smishing and vishing attacks?
There are a few things you can do to protect yourself from smishing and vishing attacks. First, be suspicious of any text message or phone call that asks for personal information or financial information. If you're not expecting a call or message from the organization, don't respond.
Second, never click on links in text messages or emails unless you’re absolutely sure they’re legitimate. If you're unsure, you can always go to the organization’s website directly and contact them through another channel.
Finally, if you’re in a decision-making role in your organization, make sure you’re using advanced data protection measures. The right microsharding solution can protect against the impact of compromised credentials and make sensitive data unintelligible to unauthorized users. We explain how with these resources.
Keep these tips in mind, and you'll be better protected against smishing, vishing, and beyond.