Smishing, Vishing, and Phishing – Don’t Become a Victim
Since the start of the pandemic, the U.S. has seen a 300% increase in cybercrimes. The FBI’s IC3, also known as the Internet Crime Complaint Center, has reported a significant increase with cybersecurity complaints going up from 1,000 complaints to over 3,000 – 4,000 complaints each day.
How are tech-savvy cybercriminals gaining access to your personal data and how can you protect yourself? Here’s what you need to know.
Phishing is a cyber-attack using emails disguised as a trusted entity such as a bank, online purchasing business like Amazon, or any other company with which you may have done business. It is one of the oldest forms of cybercrime, dating back to the 1990s. It remains one of the most widespread methods of securing your personal data, social security number, banking data, and more.
Here are some of the most common techniques used in phishing.
A Sender’s Address That Doesn’t Look Right
The first thing you should always do when getting an email from anyone asking for you to go to a site or send information is to check the sender’s email address. The email itself may look legitimate, but when you click on the sender email, it looks off.
For example, you may receive an email from Amazon, but when you click on the sender’s email, it isn’t from amazon.com; it is from an address like firstname.lastname@example.org. Tricky, but a dead give-away.
If the sender’s email doesn’t seem right, do not reply or click on any links. Delete it.
One of the easiest tell-tale signs of a phishing email is when the salutation is generic and not specific to you. A greeting like “Dear Customer” should be viewed with caution. Sometimes a phisher will use a first initial and last name or copy your email into the field. Most legitimate companies will use a full name or the name on your account in addressing official correspondence.
In that same vein, a generic signature is suspicious as well. Sign-offs like “Accounts Receivable” or “Payments Department” without a name and contact information are examples.
If you receive an email without this information, use the company’s main number from a Google search to call and ask to speak with a representative about any issues outlined in the correspondence.
Many companies used URL shortening tools like Owl.ly and Bit.ly to make links easier to copy and paste into browsers. On platforms like Twitter, where character limits matter, shortened URLs are essential.
Hackers will disguise their rogue URLs by using these shorteners to hide their country of origin and illegitimate company names.
What to do: Avoid clicking on a shortened URL if you aren’t sure the sender is legitimate.
Fake File Attachments
Attachments like PDFs or Word documents in phishing attacks can be as harmless as an image like a sales promotion or more sinister like a fake login page to your Amazon account. Suppose you’ve determined the sender’s email address looks legitimate, and the link does too. In that case, it is still better to type in the main URL of the company and look for the same information on the site rather than click on the attachment unless you are confident of the source.
For example, if you have been corresponding with someone at a company and are sent an email by this person with an attachment, you will probably be safe in opening it. If, however, you receive an unsolicited email with an attachment, you are wise to follow the steps outlined above and not open the file.
Subject Lines That Raise Alarms
Many phishers will play on your emotions to get you to download attachments, fill out forms, or call a phone number to provide personal information. Creating a sense of urgency or fear will sometimes help to override your common sense.
An example of this would be to tell you an account is overdue or that your password is about to expire and must be updated immediately. In fact, “Account Closure” and “Expired Password” are the two most common subject lines designed to get you to act without thinking.
Vishing comes from combining the terms “voice” and “phishing.” Rather than using email or fake websites like phishers, vishers use internet phone services (VoIP).
We’ve all seen vishers in action. They use fake Caller IDs to appear legitimate while stealing your personal information, identity, and money. Have you ever received a voicemail message or recorded message that says something like, “Your account has been compromised. Please call this number to reset your password immediately.”
You may be anxious to make that call and get your account quickly squared away. Do some research first. Go online and find the company’s customer service number and use that instead of the number on the message. If a recorded message asks you to wait to speak with a representative, don’t do it. Hang up and call the Googled number instead. Taking this extra step up front may save you a lot of pain down the road.
Other examples of vishing calls are the ubiquitous car warranty scams, charitable requests for urgent causes, “don’t wait” investment opportunities, and unsolicited offers for loans or credit cards. Also, be aware of anyone calling and saying that they represent your credit card company or bank. It is better to get the person’s name and tell them that you will call back the main number and ask to speak with him. If the caller hems and haws, you should stick to your guns.
You can add your mobile or home number to the national Do Not Call registry to stop unwanted calls. Visit the FTC website at https://www.donotcall.gove/register/reg.aspx or call 1-888-382-1222. You can also report a suspicious number at www.ftc.gov/complaint or call 1-877-FTC-HELP.
Smishing is phishing but by text message. It can be a more pernicious form of cyber attack as people tend to be more trusting of a text message, and the quickness innate in this form of communication often means less diligence. Research shows that while many people aware of the importance of not clicking on attachments in emails, they tend to overlook the threat in text messages.
One of the more common cyber attacks unique to smishing is the threat of surcharges. For example, you could receive a text that says that if you don’t click a link and enter your personal information, you could be charged a daily fee on your data plan. You could also receive a similar text stating you will be charged for the use of a service. If you haven’t signed up for the service, ignore the message. If you have an issue with a data charge, call your cell phone service provider.
In general, it is best not to reply to a text message from someone you don’t know. If the text comes from a phone number that doesn’t look like a phone number, such as 12345, this is a sign that the text is actually an email being sent to your phone.
Installing a security app on your cell phone is also a smart idea. Should you accidentally click on an infected file sent by a smisher or even a friend, your data is protected. Nearly all text messages will not be smishing attacks, but it only takes one to compromise your security. Staying alert and using a modicum of caution can help make sure you don’t become a victim of identity theft or stolen funds.