Smishing, Vishing & Phishing attacks are an ongoing threat to individuals and businesses in Cairns and Townsville. But before we dive into how to avoid Smishing, Vishing & Phishing attacks, let’s define all these terms.
What is Phishing?
Phishing is when attackers send malicious emails designed to trick people into falling for a scam. The intent is often to get users to reveal financial information, system credentials or other sensitive data.
What is Vishing?
According to a global 2020 survey, 53% of employees do not know what vishing is. Vishing or ‘voice phishing’ is an attack done via phone calls. Scammers will create fake caller IDs to contact their victims and impersonate official bodies to obtain personal and financial information.
What is Smishing?
Smishing or ‘SMS phishing’ is an attack that uses SMS to scam victims. Similar to email scams, smishing attacks contain a threat or an urgent message with a link to force you into handing over sensitive, often personal, information. They could also be installation links for malware.
How to Identify Common Features of Phishing/Smishing/Vishing
Too Good to Be True Offer or a Claim of Upcoming Legal Trouble
Eye-catching or attention-grabbing statements are designed to attract people’s attention immediately.
Invoice or Order Confirmation or Customer Support
Confirmation smishing involves a false confirmation of a recent purchase or billing invoice for a service. Customer support smishing attackers pose as a trusted company’s support representative to help you resolve an issue. High-use tech and e-commerce companies like Apple, Google, and Amazon are effective disguises for attackers in this premise. Typically, an attacker will claim there is an error with your account and give you steps to resolve it.
Sense of Urgency
A favourite tactic amongst cybercriminals is to ask you to act fast. Some of them will even tell you that you have only a few minutes to respond. Sometimes, they will tell you that your account will be suspended unless you update your personal details immediately. Most reliable organisations give ample time before they terminate an account, and they never ask patrons to update personal details over the Internet. When in doubt, visit the source directly rather than clicking a link in an email.
Unusual or Suspect Hyperlinks
A link may not be all it appears to be. Hovering over a link shows you the actual URL where you will be directed upon clicking on it. It could be completely different, or it could be a popular website with a misspelling.
Attachment in an Email You Weren’t Expecting or That Doesn’t Make Sense
Attachments often contain payloads like ransomware or other viruses. The only file type that is always safe to click on is a .txt file.
Unusual or Unexpected Sender
Whether it looks like it’s from someone you don’t know or someone you do know, if anything seems out of the ordinary, unexpected, out of character or just suspicious it could be a scam.
Look for Bad Grammar
Fraudsters usually do not use proper English. There are often grammatical errors or spelling mistakes. Also, take a good look at the overall format of the email. You will find the email/text does not sound professional, or the colour shades of the emails will be slightly different from their authentic counterparts.
Here are 5 Ways to Avoid Smishing, Vishing & Phishing Attacks:
Whilst some businesses take proper security measures against phishing attacks, they often overlook the risks of smishing and vishing. However, smishing and vishing attacks are very common cyber threats. And employees are the first line of defence against these attacks.
1. Awareness and Employee Training
The first step to fighting any cybercrime is to be aware of it how to detect the signs. Conduct mandatory security awareness training based on real-world examples on an annual basis. Employees should be trained to identify phishing emails and what to do if they get one. If employees receive spam or phishing emails/calls/text messages, the best thing to do is not open them and delete them immediately. Use simulations to understand the extent of employee awareness regarding cyber fraud and customise your training.
2. Create Business Policies within your Organization to Help Prevent Smishing/Vishing
Having set policies will make protecting your organization against cyber-attacks part of company culture. Businesses should create policies governing how to verify caller identities and what kind of information can be revealed, when, and by whom. Employees should know who to bring unusual requests to within the organization.
3. Implement Strong Authentication
Have the identity of every device and user to be verified in advice. No matter how much user education employees receive about vishing/smishing, some attacks will make it through. It is assumed that security lapses are inevitable and having strong authentication can be another level of protection. A multi-factor authentication (MFA) on an exposed password may render it useless to a smishing attacker if the account being breached requires a second “key” for verification.
4. Do Not Respond to Messages from Unusual or Unexpected Senders
Even prompts to reply like texting “STOP” to unsubscribe can be a trick to identify active phone numbers. Attackers depend on your curiosity or anxiety over the situation at hand, but you can refuse to engage. It’s generally not advisable to click on a link in an email or instant message, even if you know the sender. The bare minimum you should be doing is hovering over the link to see if the destination is the correct one. Some phishing attacks are sophisticated, and the destination URL can look like a carbon copy of the genuine site, set up to record keystrokes or steal login/credit card information. If it’s possible for you to go straight to the site through your search engine, rather than click on the link, then you should do so.
5. Do Not Give Out Sensitive Information to Incoming Calls/Texts
Never give out sensitive data like bank details, passwords and credit card details over phone calls or messages unless the recipients are people, you’re familiar with. Government organisations and legitimate companies will never ask you to hand over these details over the phone. Before making an instant decision and taking the bait, tell them you’ll call back. Hang up the phone, insert the number into a public records directory like Keyway Searches, and search for the phone information to make sure the phone number is legit.
Conclusion
No matter where you live in Australia, whether it be Cairns, Townsville, Mount Isa or beyond, your company could be at risk of Smishing, Vishing & Phishing attacks. But an experienced cybersecurity services company can help you design and budget for a comprehensive security strategy, and even provide ongoing management to make sure you’re protected. Talk to the team at Future IT Services today to find out more!