If phishing wasn’t enough for us, we need to be more alert than ever as new variants are arriving: vishing and smishing. Cybercriminals will try to trick us over the phone, either by voice or text message.
It is worth remembering that phishing is a form of cybercrime using email, usually in which someone impersonates a trusted organisation or company, such as a bank or the tax office. With an increasingly real appearance, they try to trick us into providing confidential data, such as personal identification information, bank and credit card details and passwords.
With this information, criminals try to access other accounts, stealing our identity or even our money.
Well, these same phishing tactics are being used for two other forms of crime: vishing and smishing.
How to fool yourself with social engineering
All these scams are based on social engineering to trick victims. With these techniques, criminals manage to manipulate, influence or trick people to get what they want: data, passwords, control of the computer… The hacker can use telephone, email, mail or direct contact to gain illegal access. Phishing is a good example.
To achieve this social engineering, hackers use a variety of techniques. Sometimes they send a security alert message requiring the person’s immediate intervention. Other times they try to acquire sensitive information, such as usernames, passwords and credit card details, by impersonating a trusted entity using email.
In many cases, criminals use some kind of bait: a message with an attachment that says “Letter of dismissal” or a promotion of a discount if you buy from a certain company. They may also try to redirect you to a legal-looking website that you are used to accessing, but which is fraudulent.
I will help you if you give me information
One of the latest techniques, and one that has a lot to do with this new type of scam such as vishing, is when they try to impersonate a technical service. They will offer us their help in exchange for us providing them with certain information.
In this case, these people phone (either landline or mobile) either from a company or a house to assure you that there is a problem with your computer systems or your gas installation, but that they can help. If, in addition, they ask you to turn off your antivirus first, then it is more than obvious that it is a trap call.
How vishing works
The word «vishing» comes from the combination of «voice» and «phishing». In other words, it is a phishing technique in which, instead of using e-mail, voice is used. The objective is always the same: to trick the other person into revealing personal, sensitive or confidential information.
Attackers impersonate a person or a well-known company. Using different techniques, they try to put fear into the person on the other end of the phone and emotionally manipulate them into giving the information the attackers are looking for. Often they even ask for a money transfer to be made in order to fix the problem that the user supposedly has.
In addition, vishers create fake caller ID profiles to make the phone they are dialling from look legitimate. This gives them extra credibility with the victim.
If they do not reach the victim at that moment, they are likely to leave a message in the victim’s mailbox to try to get the victim to call back. If not, they will call back at another time.
When the scam comes in an SMS
But, in addition to voice, attackers are also using phones for other versions of phishing. In this case, and making use of SMS, the criminals will also use all kinds of social engineering techniques to make us believe that they are someone respectable. We are talking about smishing.
The origin of this word, again, is the combination of SMS and phishing, as SMS text messages are used here. They also frequently use some of the popular instant messaging applications to try to trick us.
Again, attackers will impersonate another person or an entity (public or private) that users trust. They will try to trick us, using some of the techniques seen above, into providing personal information, making a payment, clicking on a malicious link or downloading an attachment.
According to INCIBE, the great success of these attacks is that we do not expect them. We are perhaps more alert against phishing and can detect them earlier, but we may not expect to receive a scam via SMS, especially when there are already few people and companies using this communication system.
Doubt is always a good thing
We are now familiar with the variants of phishing: vishing and smishing. As we can see, no one is safe from being affected by one of the many variants of phishing. As well as always being vigilant, we should be wary of communications that actively ask us to do something on our behalf, such as giving out confidential data, downloading a file or clicking on a link.
Ignoring these messages and deleting them or hanging up directly if the call seems suspicious are some of the best measures you can take to avoid falling victim to vishing and smishing.
Source: Ideas para tu empresa – Vodafone
