Blog

What is Phishing, Smishing, and Vishing?

November 21, 2019 Invar Technologies Cybersecurity

vish

 

These words sound like comic book sound effects or another language.  They actually are three major threats to your data security. 

P.T. Barnum, the famous circus owner said “There is a sucker born every minute…”

In Barnum’s time many people sometimes fell prey to con men. This is short for confidence man, or confidence trickster. The real good ones we call con artists. These are masters of manipulation. People who are skilled in preying upon our weaknesses.  They use various tactics to gain your trust, or our confidence. Once they have gained that, then they will then take advantage. Sometimes they work in teams, or sometimes alone. They know how to talk and lure us with promises of wealth and easy money, only to make us poorer in the end.

Social engineering schemes employ the same basic premise. Instead of a con-man on the street, now they are in your computer by email, and also on your phone. They now use tricks to get information from you that can be used to gain entry into a secure system, to find weaknesses, and ultimately to steal valuable assets such as sensitive data, and of course, money. Depending on how they communicate, there are different types of deception. They can contact you by email, by voice on your phone, or by text also on your phone.  The goal is the same but the approaches differ slightly depending on the venue they use.

Phishing, or email phishing is when you receive an email that pretends to be from a friend, co-worker, or a trusted vendor. It could claim to be from your bank, credit card provider, or online shopping venue. Usually it claims some trouble with your account and offers a link for you to log in to correct the problem. Sometimes, the bait could be a free gift card offer, or an attachment of some kind. The link and the fancy email are fake and designed to get your info, or worse, sometimes infect your machine (and network) once the link is clicked. The downloaded result can be malware, spying software, or even ransomware. Never give your password or other personal info to anybody, online, or offline. Real companies will never ask you for such information. A good way to spot these phishing attempts is to first look at the email addresses and links.  Hovering over (but not clicking) the link will show its’ web address. A fake link address will be different than the supposed company they claim to be.  Opening a new tab in your browser and going to the site it claims to be from will help verify if the email info is legit.  Compare the real website address to the one in the email, check the email after the @ sign and see if it matches the real website as well. Also, since many of these emails come from outside the U.S., poor grammar or spelling is another giveaway. Always check subject line and sender email address before opening any email. If it seems off, don’t open it, delete or quarantine it.

Vishing, or voice-phishing uses the same tactic, except by phone call. The caller may claim to be with the IRS, Social Security, or a computer service company, for example. The goal is to get you to pay them for some supposed tax mistake, or to upgrade some software you never bought in the first place. They will try to instill urgency and fear by saying you are in danger of being sued, or arrested. They may say if you do not pay for an upgrade your computer will crash from a virus. The goal is to get you to give them a credit card number or to send them an untraceable payment like cryptocurrency or serial numbers from a payment card they instruct you to buy. These calls, like the phishing emails, usually come from overseas, so the caller may have a foreign accent and poor English. Just because your caller ID shows a domestic call it does not make it true. These callers may use spoofing to make calls look like they are coming from Washington DC (area code 202) or may use your local area code to make you feel comfortable and answer the call. Also, the IRS, Social Security, and most organizations claiming that you owe them money always do everything in writing and will always mail you a claim rather than call.  On YouTube there are many recordings of people receiving these calls. Search for ‘IRS Phone Scam’ for example. You will hear the actual conversation and hear the tactics used.

cell

Smishing, or SMS phishing is another way to do the same scam. Using SMS, or texting, as we call it, they will send a text message asking you to call them, or a link for you to go to. It may look like a promotion from a company or website you are familiar with. It may promise free gift cards, or some other valuable item to get you to click the link. Another trick is social baiting. It may say someone looked at your profile and here is their picture, offering a dangerous link as well.  Once again using our human nature against us by luring us with money and curiosity. Again, the same rules apply as before in detecting these frauds. Avoid clicking text links on your phone, as this can open a program to gain your information, such as your contact list and email address book. Malware released on your phone can also send any payment info or passwords that are retained in your internet browser. A good habit is not to save such info on your phone and routinely delete your browser history. This is a good habit for your computer as well.

In all these cases using filtering and blocking the calling numbers can help these attempts from even getting to your phone or inbox or text box. Caller ID and blocking can be used to warn you and stop such calls.  Instituting a company-wide security awareness training program will help everyone recognize and avoid these threats at work and at home.

 

Joe Griffo

Cybersecurity & Technology Consultant

INVAR Technologies Inc

646-766-0713

joe@invar.nyc

 

 

 

 

Recent Posts