Cyber Security: Vishing, smishing and phishing

“Hello, I’m calling from Microsoft Windows tech support.”

Social Engineering 

Fraudsters are adopting increasingly sophisticated techniques to manipulate users into divulging private information.

Vishing, smishing and phishing are all types of social engineering scams with the intent of gaining personal details enabling cyberthieves to gain access to information or an account.

In this article, we’ll focus mainly on vishing, a particularly devious cybercrime where scammers contact a potential – and often vulnerable – victim via a phone call and pretend to be a company in an effort to steal personal information such as account numbers, login credentials and passwords.

Have you ever received a call a la “Hello, this is HMRC”? Or perhaps “Hello, I’m calling from Microsoft Windows tech support”?

Smishing

The word vishing is a portmanteau of ‘voice phishing’. Vishing isn’t always carried out with just phone calls, it’s common for scams to start via smishing – a portmanteau of ‘SMS’ (short message service, better known as texting) and ‘phishing’.

A call is not always made right away. Fraudsters often combine different ‘baiting’ techniques to gain trust or to instigate curiosity, fear and/or panic. 

You may have disregarded a text message urging you to contact your bank, HMRC or another organisation only to be chased up two days later with a phone call confirming the details in the previous message.

When cybercriminals ‘phish’, they send fraudulent emails that seek to trick the recipient into clicking on a malicious link. Smishing simply uses text messages or a data-based mobile messaging app instead of email to fool victims into clicking on malware (malicious software) or a link to a fraud website. 

Have you ever received a text with the option to reply with STOP if you no longer want to receive messages? This is a common tactic to get confirmation that a number is being used by someone and is therefore a potential target. 

Smishing and vishing are often confused because they are frequently combined. The goals are the same – to steal someone’s identity, information or money – but there are differences in the techniques used in each.

Persuasive language

In any case, phishing, smishing and vishing are all reliant on convincing a victim that they are doing the right thing by responding to an email, a message or a phone call purporting to be from a trusted, legitimate source.

Cyberthieves can spoof a caller ID to make a call appear to be from a trusted source, such as a bank. Or a fake alert may arrive by text message asking you to call a number to resolve an issue.

Typically, a bogus caller will claim to represent the police or a financial institution and use persuasive language. They often use threats to make victims feel like they have no other option but to provide confidential information.

Red flags

– Alert from a financial institution

– Offers investments and other financial solutions

– Billing by a technical support service

– Tax rebates/overpayment

– Sense of urgency

Payment or face imminent arrest

Scammers typically call to say that your bank account has been compromised and offer to help you install software which is actually malware.

In other cases, the fraudster will frame their conversation as helping the victim to avoid criminal charges. 

Another common tactic is to leave a threatening voicemail telling the victim to call back immediately or risk being arrested, have bank accounts shut down, their Universal Credit stopped or worse. 

Whether it’s a pre-recorded message or a person, you’ll be told there’s an issue with your account or a payment that you’ve made. You may be asked for your login details to fix the ‘problem’. You might be asked to make a new payment or face imminent arrest.

Another feature of automated message vishing is being asked to press buttons or respond to prompts. The message might say “Press 2 to be removed from our data base” or it may ask you to say “yes” to speak to an advisor. 

Robocalls

Scammers often use these tactics to identify potential targets for more robocalls. They may also record your voice and use it with voice-automated phone menus tied to your bank or credit card accounts.

A robocall, by the way, is a phone call that uses auto-dialling software to deliver a pre-recorded message to thousands of people each day.

In other cases, cyberthieves will call with offers that are too good to be true: small investments with a high return promise, pay off your debts in one fell swoop et cetera. Typically, you’ll have to “act now” and you’ll need to pay a small fee. There’s always a breathless sense of urgency.

Often, the bogus caller may ask you to confirm your name, address, date of birth, National Insurance number, bank account details or other identifying details. 

A fee for repairing a problem that never actually existed

To trick you into thinking that they’re legitimate, scammers may already have some of your personal information on hand through mega data leakages available on the dark web, or even through social networks and job sites. The aim is to get the remaining information that they don’t have yet.

In the workplace, a common fraud attempt can happen when a link is clicked leading to a page claiming that a problem has been detected with your computer and that you need to call a number to receive technical support.

Another everyday technique is for a fraudster to call directly to alert a victim that there’s a device failure and that help is on offer. At the end of the bogus service, a fee is charged for repairing a problem that never actually existed. 

Frantic urgency

If you ever get a bogus call, stay calm. Do not feel obliged to continue a polite conversation, hang up as soon as you realise. 

If you receive any sort of message urging you to call a number, check it first to ensure that the phone number is genuinely that of a legitimate company or institution.

Be especially wary of texts or calls with special offers – especially if personal information is requested with a sense of frantic urgency. 

In any case, all unsolicited texts or calls should be viewed with scepticism.

Protecting against account takeover is getting more challenging. Contact us and we’ll walk you through our industry-leading cyber security options.