Email may be the most common vector used in phishing attacks, but there has been a marked rise in other forms of phishing in 2022, such as voice phishing (vishing) and SMS phishing (smishing).
Vishing
Voice phishing or vishing attacks are conducted over the telephone and use similar social engineering techniques to email phishing. The scammer impersonates a trusted individual or company and uses either a threat or a potential reward to trick the victim into disclosing sensitive information, downloading a malicious file, or opening a remote desktop session with the scammer. These scams often involve caller ID spoofing to make it appear that the call is being made from a legitimate number, such as a hospital, business, or government department.
Oftentimes, the scammer has information about the victim to make it seem like an official call or that there has been previous contact. This information is obtained from past data breaches or can be collected from public sources such as social media profiles. Vishing is commonly used in tech support scams, where an unsolicited call is made by the threat actor who claims to work at a cybersecurity company or a broadband provider and requires the victim to pay to have a fictitious malware infection resolved or must download fake software to resolve the issue.
Vishing attacks are conducted impersonating the IRS advising the victim that they have a rebate, or outstanding tax, or threatening legal action, with the scams conducted to obtain sensitive information. Banks are often impersonated with the victim convinced to confirm their identity by disclosing their bank details or credit card number. The caller is usually coercive and the issue at hand requires urgent action to correct.
Several campaigns have been conducted on healthcare targets in the US. In one campaign, senior executives at a hospital were targeted, with the caller claiming to be a representative of Medicare. The caller requested a Social Security number for verification of identity. Patients of Spectrum Health and Priority Health were targeted, with the scammers spoofing the caller ID to make the calls appear to have been made using the genuine hospital phone number, with victims pressured into providing sensitive personal and health information to the scammers.
Smishing
A smishing attack is a phishing attack conducted via SMS messages. These attacks are becoming increasingly common and are used to obtain sensitive information such as credit card numbers or login credentials. These attacks often trick the recipient into downloading malicious code to their mobile devices. These attacks take advantage of the relative unfamiliarity of this form of phishing and the small screen size of mobile phones, which do not display the full URL of a website, which makes it easier for scammers to hide their malicious URLs. Mobile phones are also much less likely to have antivirus software installed than desktop computers and laptops, which makes it easier for malicious code to be downloaded undetected.
Smishing attacks often involve messages purporting to be from a bank that requests financial information, or for banking Trojans to be distributed that spoof the login page of a financial institution to steal banking credentials. The IRS has recently issued a warning about an exponential rise in smishing attacks impersonating the IRS in 2022. These scams use a variety of lures such as warnings about unpaid tax bills, law enforcement action, and tax rebates. The IRS warned that smishing attacks are being conducted on an industrial scale, with hundreds of thousands of smishing messages delivered in hours or a few days.
How to Defend Against Vishing and Smishing Attacks
The problem for businesses is few cybersecurity solutions can identify and block vishing and smishing attacks. The key to defending against these attacks is education. Businesses should be providing security awareness training to the workforce to teach cybersecurity best practices and to raise awareness of cyber threats. Email phishing is usually extensively covered in training courses, but it is also important to ensure vishing and smishing attacks are covered.
This is an area where TitanHQ can help. TitanHQ offers businesses the SafeTitan security awareness training platform – a comprehensive security awareness training platform with gamified, interactive, and enjoyable security awareness training content covering all aspects of security, including phishing, vishing, smishing, and other social engineering methods. The training modules are short, allowing them to be easily fitted into busy workflows, and the training content has been proven to reduce susceptibility to all forms of phishing attacks. SafeTitan also includes a phishing simulation platform to allow businesses to test the effectiveness of their training.
For more information on how you can improve your human defenses against phishing and other cyberattacks, contact the TitanHQ team today.