In today's world, criminals employ various techniques to manipulate, con, or deceive individuals into disclosing sensitive information or performing actions that are detrimental to them. These techniques fall under the umbrella term of social engineering, a deceptive and illegal tactic, a topic which has been previously covered in our blog collection.
However, social engineering is a broader term for these techniques and in this article, I shall discuss three prevalent methods in more detail. These are smishing, vishing, and phishing. A key point is these techniques focus more on the manipulation of people than systems to bypass technical security controls. Understanding how these techniques work and how to guard against them is vital for safeguarding your digital presence.
Let’s start with Smishing:
What is Smishing?
Smishing, a term comprised of "SMS" (Short Message Service) and "phishing," is a form of social engineering that utilizes text messages to deceive individuals into revealing confidential data, such as passwords or financial details.
Ok so how does Smishing work?
Smishing usually works by utilising the following:
1. Deceptive Messages: criminals send text messages that mimic legitimate sources, like banks, government agencies, or renowned companies. These messages often convey urgent issues or enticing offers to coerce you into taking action. I have personally had several of these impersonating companies such as DPD, Post Office and even HMRC.
2. Links and Numbers: The message typically includes a link that redirects recipients to a counterfeit website or prompts them to call a phone number.
3. Information Theft: We are asked for our information all the time and seemingly where ever we turn, worryingly many people will give this information away without truly realising the weight of their decision. Once users click the link or dial the provided number, they are prompted to enter sensitive information, which is subsequently harvested by the attacker.
So how can you protect yourself against it?
Countermeasures Against Smishing:
· Source Verification: Always verify the authenticity of the sender before responding to text messages or clicking links. Now this can be tricky as attackers can spoof or fake the identity of legitimate companies in SMS messages. Try and find a number for the company or contact them directly. Keeping yourself updated on the latest smishing trends can help to prevent the success rate of this type of attack. Sometimes though these messages come from a mobile number at the top with the company logo in the body of the message. Ask yourself how likely is it that a large company would be contacting you from a mobile number? Or, if you use the service, check your other messages from them and see if they look and feel the same or are coming from that exact number.
· Avoid Clicking Links: Refrain from clicking on suspicious links in text messages; instead, visit the official website of the organization independently. This may seem like extra effort, but it really is worth it! Companies will typically have all their current offers splashed all over their website. If it is a request for payment that is bogus, however, you might have to call the supplier direct. If you know your direct debit has already gone out and there is a second request or a claim of a missed payment that should be suspicious enough in itself. It's handy to know what day of the month your direct debits go out. Your own bank may ask for these when checking your identity if you lose a debit card, for example.
· Utilize Security Software: Install reputable security software on your mobile device and keep It up to date to detect and thwart smishing attempts whilst also protecting your devices from the latest cyber threats. This is key and I cannot recommend this enough. I have helped family members with this, and the results have been brilliant. On several occasions when receiving a message, they have been informed that the link was a phishing link. This is usually closely followed by “phew I was about to click on that!”
Next is Vishing…
What is Vishing?
Vishing, short for "voice phishing," is a social engineering tactic that involves fraudulent phone calls aimed at deceiving individuals into revealing personal information or making financial transactions.
How does Vishing work?
1. Impersonation: Scammers often pose as trusted entities like banks, government agencies, or tech support, creating a false sense of urgency. Again, I have also had this, an individual called me from my bank and claimed there had been fraudulent activity on my account and I needed to act right away if I wanted any chance of getting my money back, they then asked me to verify myself by giving all my personal information. I was instantly suspicious. The final slip up for them was when I informed them I would contact them through the app, and they were insistent there was no need and that I couldn’t trust it! Needless to say, the call was ended shortly after. However, some are not as obvious as this and can be a lot more sophisticated.
2. Information Request: They request personal or financial information over the phone, claiming it's needed to resolve an issue or confirm your identity.
3. Manipulation: Criminals employ psychological manipulation to pressure and deceive their victims into complying with their demands. They prey on our fears and impulses to convince us to act, often employing an authoritative persona to give their manipulation a higher chance of success.
So how can you protect yourself against it?
Countermeasures Against Vishing:
· Be Sceptical: Exercise caution when sharing personal information over the phone, especially if the call was unexpected.
· Verify the Caller: Hang up and dial the official phone number of the organization to confirm the call's legitimacy. Another option is you can ask them to give you a number you can ring back for free. Bona fide organisations will know about this or send an email verifying their identity.
· Educate Yourself: Familiarize yourself and your family members with common vishing tactics. You will find if you even google common scams that are undertaken in the name of say, BT, a broadband provider or another major services corporation, what you are experiencing will actually appear there. They will also state that they NEVER contact customers about issues with their line or their internet connection. If you experience a problem, they are there to answer your call. If they call you regarding a problem with your internet there probably isn't a problem with your internet.
Last but certainly not least…. Phishing:
What is Phishing?
Phishing is one of the most widespread online threats and a prime example of social engineering. It involves the use of deceptive emails, messages, or websites to trick individuals into revealing sensitive information.
How does Phishing work?
1. Bait Email: Attackers send emails that appear to be from reputable sources, often with convincing logos and email addresses. This is one we have probably all had at some point. A recent one was from Hermes telling me I need to pay to have my parcel delivered after a failed attempt. Trouble is I didn’t order anything, and the company is no longer called Hermes! Apart from that glaring oversight the actual email was well crafted with good spelling and grammar and looked official. The other main giveaway was the email address was odd and they addressed me as “Dear customer”. Using generic terms rather than personal ones is a red flag.
2. Urgent Message: The email typically contains a sense of urgency, asking recipients to click on a link or download an attachment. Take a moment to breathe and certainly don’t panic.
3. Information Theft: Clicking the link can lead to a counterfeit website where users are prompted to enter their credentials, which are then stolen.
Countermeasures Against Phishing:
· Examine URLs: Hover your mouse over links in emails to preview the URL before clicking. Check where the link is taking you. Check the URL for misspelled domain names, extra subdomains or a combination of random characters and symbols. Legitimate websites typically have clean and logical URL’s. Be extra careful to check the domain matches, if it is a well know company such as Facebook, a slight variation such as Facebok is most likely a phishing attempt.
· Verify Email Addresses: Confirm the sender's email address to ensure it matches the official domain of the organization.
· Implement Multi-Factor Authentication (MFA): Enable MFA wherever possible to add an extra layer of security.
· Look for red flags such as generic introductions like “Dear customer” and email addresses that do not line up with what you would expect.
In conclusion, smishing, vishing and phishing are all tactics within the realm of social engineering, where criminals harness IT techniques and use IT specialists to exploit peoples' good nature and hack their digital accounts. This is what makes them such dangerous techniques. By practicing cybersecurity vigilance, such as verifying sources, exercising scepticism, and employing security software, you can significantly reduce the risk of falling victim to these scams and protect your personal information online. As always, stay vigilant and stay informed. Fore-warned is always fore-armed.
Useful Links:
What is MFA:
A list of antivirus software for mobiles:
Article on Smishing:
Article on Vishing:
Article on Phishing:
Commentaires