Vishing, Phishing, Smishing – What You Need to Know

By Dan Smith
Director of Engineering Services

It might be tough to keep track of all the different terms for cyber scams these days. First, “phishing” was the term for email scams impersonating companies and other entities in attempts to gain personal information. Now, terms like vishing, smishing, pharming and even quishing are being thrown around. Here’s an overview of what they all mean.

VISHING VS. PHISHING

Vishing is a lot like phishing, just with a different approach.

Phishing
involves scammers impersonating a business, colleague, or even a boss over email in an attempt to trick you into sending your personal information to them. Vishing is similar, as attackers will use fraudulent phone calls to do the same thing.

Smishing
is slightly different, whereas scammers send texts and messages via different apps pretending to be someone else, hiding their real phone numbers.

Quishing
another variation, refers to scams that trick victims into scanning QR codes that lead to sketchy websites via their mobile phones. Once there, the websites may inject malware or steal personal information from victims.

Pharming
is when cyber criminals create a fake website mimicking an existing business in order to get victims to enter personal information and click on links containing malware. For example, hackers will target a specific business and redirect their customers to a fake version of their real website, so users plug in their passwords and other sensitive information. Then, hackers can steal money, inject malware and create all sorts of other havoc.

COMMON TRAITS OF VISHING ATTACKS

Vishing scams often come in the form of automated “shotgun attacks”, which go after a large number of phone numbers in hopes that a few will bite. Scammers will leave voice messages prompting victims to call them back. These callers will attempt to manipulate victims by convincing them that they will face fines, criminal charges, or other account losses if they don’t follow given instructions.

Wardialing and Caller ID Spoofing
“Wardialing” is a technique used in vishing when scammers target a certain area code and use the names of local banks, businesses, police departments, and other entities to seem legitimate. When calling victims, attackers will also use VoIP applications to generate fake phone numbers to match your area code as another way to seem real.

Another method of creating a false sense of legitimacy is Caller ID spoofing, where scammers change their caller ID to something like “Unknown” or “Tax Department” to throw off suspicion.

AI Voice Impersonation
AI can now be used to create realistic voices that scammers will play over the phone. This makes their schemes even more believable to unsuspecting victims, since it can be difficult to tell the difference between a real person and an AI-generated voice.

HOW TO AVOID FALLING VICTIM TO VISHING SCAMS

The biggest liability you’ll face when dealing with vishing, phishing and other scams: people. This is true for all cybersecurity, that human error poses a huge risk. Since attackers will rely on the assumption that you or your staff are unaware of what to look for in potential scams, its crucial that you set up effective training to educate them. Vishing Training Staff training on how to spot should happen at least yearly, with consumable and interactive modules that your staff will be able to understand. Many outsourced IT services will implement these for you, and they can even tell you how successful it was with metrics like what percentage of your staff participates.

Dan Smith: