Is your data safe?
These days, most businesses invest a lot of money and effort in data, specifically, in data security and data protection risk management. Unfortunately, there are a substantial number of malign actors out there who would love nothing better than to get their hands on your information.
In this article, we will talk about three of the most common attacks hackers use to try to achieve this. Phishing, vishing, and, smishing are the quirky names given to these attacks. But there is nothing funny about them at all.
What is phishing?
Phishing is a technique used by cybercriminals as a way of trying to access confidential data for illegal uses. Typically, it involves hackers sending an email purporting to come from a well-known and trusted source.
The email includes some kind of invitation to respond. Often, this is a link that, when clicked, allows the criminals to harvest crucial personal data they can use to steal money from bank accounts.
Alternatively, there may be an attachment that, when downloaded, installs malware or ransomware that enables hackers to gain access to a private organization’s systems. Guarding against phishing is one of the primary concerns of any cybersecurity risk assessment.
According to Verizon’s 2020 Data Breach Investigations Report, as many as 25% of data breaches involved phishing attacks. And the problem is only getting worse.
Email security provider Ironscales reports that email phishing is the top concern of 90% of IT professionals. And 81% of those surveyed said they had seen an increase in phishing attacks since the start of the COVID-19 pandemic. So it is important to try to spot a phishing email when you see one.
How to spot and deal with a phishing attack
Emails sent via trustworthy bulk email providers are generally nothing to worry about. The main signs you should be looking out for that all is not what it seems are these:
Poor spelling or grammar: often, English is not the phishing attackers’ first language, so they tend to make basic mistakes. Meanwhile, professional organizations take great care with their customer communication to ensure it is error-free.
Dubious attachments: if you are not sure what it is, do not download it.
No personalization: if the email does not address you by name but uses a generic greeting instead, that should raise suspicions. Companies whose services you use will know your name and will use it together with other details such as part of your account number.
Encourages urgent action: if the email is trying to pressure you into doing something you are not comfortable with, take a moment to reflect. Any company you do business with will be more than happy for you to pick up the phone and call them directly to double-check with them.
Many of the best VoIP systems for small business communications will enable you to do this automatically.
Inconsistent link addresses: if, when you hover over a link included in the email, the address looks different from a corresponding one in the body of the email itself, which is a phishing red flag.
Sender asks for information they should already have: your bank already knows your details. It will never ask for them again by email.
Of course, not all attacks happen via email. There are other avenues those sneaky cybercriminals often use to try to ruin your day. That includes vishing.
What is vishing?
Vishing is similar to phishing, but describes an attack where, instead of contacting potential victims by email, hackers call them for a chat or leave a voice message. Typically, the voice on the end of the line will put you under pressure; it could be someone claiming to be from your bank alerting you to possible fraud, for example.
Or perhaps they will claim to be from your IT support service explaining to you that there is an issue and they need to install some software remotely to solve the problem. Whatever the scam, the point is that the cybercriminal is hoping that the stress of receiving the call will force you into making a mistake.
Companies like RingCentral can offer advice on protecting your phone system against this kind of attack, but nothing beats widespread staff awareness.
The best explanations are always real-world examples. I mentioned to a friend that I was writing this article, and she volunteered this story, which she encouraged me to share in case it would help someone else. You see, she fell for a vishing attack once. Here is how it happened.
She was in the middle of some inventories accounting at work when she received a call from her gym. The “friendly” man on the other end of the phone explained that her monthly automatic bank payment had failed, and could he possibly have her card details so that her subscription could continue uninterrupted?
It seemed plausible. He already had a lot of information about her – her name and address, for example. Nevertheless, although she was fairly young, she was not a complete dunce when it came to information security awareness, so she hesitated. Unfortunately, she did not listen to her instincts, and in the end, she gave him her card details.
It was only later that day, when she checked her bank account, that she realized that her monthly payment had not in fact failed, and she noticed some fraudulent transactions that had taken place directly after the phone call. She immediately contacted both the gym and her bank.
It turned out that the gym had suffered a break-in and had not told any of its clients. Although the company had stored financial details separately, it still kept paper records of clients’ addresses and contact details, and these had been accessed by the malicious actors.
All the culprits had to do then was call up each potential victim and ask for their card details, using the information they already had to persuade them they were legit.
As you can imagine, she was not very happy about this. In the end, the bank refunded her money, but it was an important lesson in listening to that niggling voice inside her own head and trusting it when things did not seem right.
How to spot and deal with a vishing attack
Requests for sensitive information: if you receive a call out of the blue asking for this, think twice. Do not make the same mistake my friend did.
Double-check the company the caller claims to be from: is it one you know? Check the details to make sure it is legitimate.
Caller asks you to visit a website and take action: they could be directing you to a fake site to push you into filling in a form with the information they want or to ask you to download malware.
Caller asks for access to your computer: your company’s cybersecurity practices should mean that this does not happen except via a well-defined protocol. If you do not know who is asking for access, do not give it.
If you have any doubts at all, hang up. If you receive a call supposedly from a particular company, you can always call them back to ask whether the call was genuine.
What is smishing?
Finally, we come to the final type of attack out of phishing, vishing, and smishing. Smishing is when the fraudsters use SMS messages to try to fool you. In today’s world, where we are increasingly dependent on cell phones and remote collaboration tools to communicate and get the job done, it is easy to see why this is becoming a more popular approach.
The SMS messages used in smishing attacks will include a link. Clicking on the link will generally open up a webpage or prompt the user to send an email or dial a number being used by the hackers to steal sensitive data.
It is obvious why this is a popular method of attack for scammers. It is all too easy to be distracted when you are on the go and click on a harmful link before you have really had the chance to think about it. So how can you defend against it?
How to spot and deal with a smishing attack
You receive an SMS message you had no reason to expect: if you get a message claiming to come from a particular company, double-check. Cross-reference it with your account details or get in touch with the company via an alternative route to confirm the message was genuine.
Keep your device updated: make sure you are using the latest version of your security apps.
Do not click: self-explanatory. If you have any doubts at all, just leave it and do not engage with the message in any way. That includes if it tells you to send a STOP message to stop receiving messages from the source.
Delete the message: the best way of dealing with a message like this is to get rid of it altogether. Stay safe.
When it comes to unified communications providers, a number of Vonage business competitors have introduced extensive customer support options that can help you manage security risks such as phishing, vishing, and smishing. But the truth is, the best defense against these kinds of attacks is pre-emptive.
This means investing in staff training to give each individual the best chance of spotting these scams and attacks as they happen. A dollar spent today could save ten tomorrow, not to mention the potential cost to your organization’s reputation if a data breach were to occur. It is worth it.