Some of the most dangerous cyber attacks don’t exploit the weaknesses in information technology systems. Instead, they target the people who use them. Such attacks fall under the social engineering umbrella, and they include a growing range of techniques that are collectively responsible for 98 percent of all attacks.
In this article, we’ll describe three social engineering techniques that have been causing a lot of damage to organizations of all sizes in recent years: phishing, smishing, and vishing attacks. When you understand the differences between them, you’ll be able to protect yourself against them much more effectively.
All You Need to Know: Phishing, Smishing, and Vishing Attacks
What Is a Phishing Attack?
When attackers perform phishing attacks, they send malicious email messages whose purpose is to trick their victims into disclosing some sensitive information (passwords, social security numbers, credit card details) or performing some action that's against their best interest (downloading an infected file or visiting a fake website).
Phishing attacks have become so common that many dictionaries now contain phish definitions. According to the latest annual State of Phishing report from SlashNext, the number of detected phishing attacks reached 255 million in 2022, a 61 percent increase compared to 2021.
The dramatic increase in detected phishing attacks is attributed largely to the proliferation of the hybrid work model, and the fact that employees who practice it rely more on written electronic communication than those who work exclusively from the office.
How to Defend Against Phishing Attacks?
To effectively fend off phishing attacks, organizations should educate their employees about telltale signs of phishing attacks, such as:
- Misspelled sender's email address
- URLs pointing to suspicious locations
- Grammatical or typographic errors
- Suspicious email attachments
- Urgent requests for personal information
In addition to raising awareness about phishing, organizations should implement appropriate software solutions to prevent phishing emails from reaching employees’ inboxes in the first place. Solutions like Microsoft Defender for Office 365 and Microsoft Exchange Online Protection (EOP) can stop phishers dead in their tracks, and their implementation is straightforward.
What Is a Smishing Attack?
We like to use the following smishing definition because it does a good job of explaining what it is and how it differs from phishing:
The term smishing is a combination of the words SMS (short message service) and phishing, and it involves sending text messages that contain malicious links to individuals in an attempt to trick the recipient into giving sensitive information or downloading malware onto their device.
Smishing is an effective social engineering technique because many employees are not trained to expect it. As a result, they see text messages as inherently more trustworthy than emails, especially those that are personalized.
How to Defend Against Smishing Attacks?
Just like with email phishing, protection from smishing should focus heavily on employees' ability to identify smishing messages. For example, employees should know that financial institutions never ask for PIN codes, passwords, or one-time login codes in text messages.
They should also be encouraged to verify suspicious information by calling the sender directly via an official phone helpline or publicly available phone number (not the phone number from which the text message was sent).
Some text messaging apps, such as Messages by Google, use machine learning models to proactively detect text message phishing and other scams, and such apps can act as a powerful first layer of defense.
What Is a Vishing Attack?
Vishing, also known as voice phishing, is a type of social engineering attack in which attackers use phone calls or voice messages to trick people into disclosing sensitive information or performing some action that helps them achieve their nefarious goals.
Definitions of vishing typically point out that vishing attacks often involve a sense of urgency. A visher may pretend to be a bank employee trying to fix a serious account security issue, or they may pose as a member of a tech support team from a company like Microsoft, calling to provide remote support in order to patch a recently discovered vulnerability.
By creating a sense of urgency, vishers force their victims to make rushed, regrettable decisions, whose full consequences often become apparent only after a long time has passed.
How to Defend Against Vishing Attacks?
There are several steps you can take to defend against vishing attacks:
- Teach employees to be cautious when receiving unsolicited phone calls or voice messages and never divulge sensitive information without first verifying the identity of the caller.
- Use caller ID and spam blocking software to identify malicious callers and auto-dialer systems to block them automatically before the phone even rings.
- Conduct regular vishing exercises in addition to phishing and smishing exercises to evaluate your employees' ability to tell apart legitimate phone calls from those that are malicious.
TechGen Can Help You Stop Phishing, Smishing, and Vishing Attacks
We at TechGen can help your organization stop phishing, smishing, and vishing attacks by implementing technical controls, such as spam filters and multi-factor authentication, conducting regular employee training sessions, and periodically assessing your cybersecurity posture to recommend suitable remediation measures, among other things.
Contact us today to learn more about our cybersecurity services.