Best Practices for Phishing, Smishing, and Vishing

We know what you’re thinking! Who thinks up these names? Phishing… Smishing… Vishing – while they all are related tech-based scams… sometimes it is confusing to know what they all mean.

The Britec team has put together an article to help you understand what Phishing, Smishing, and Vishing scams and threats are, as well as provide some helpful best practices and tactics for avoiding them. (Should you have any questions, reach out to us on social, or contact us here.)

What is Phishing?

Phishing involves email and impersonation to fool you into providing private information (about yourself, your family, or your workplace). It is the most common type of scam you will encounter.

In a phishing attack, the scammer will pose as someone you know and try to fool you into giving out private information. This usually happens via email, but it can also happen via text message, and even a phone call. Normally the phishing scammer has a small amount of information about you, which they try to use to either get more info, or to get you to do what they want.

Some typical examples of Phishing Scams include:

  • A fake invoice – Usually sent from a popular business sending an invoice from services you never ordered.
  • Email account upgrade – An upgrade will be offered via email from a brand you trust and use. Claiming to have a new free updated version to be downloaded. Warning you that your usage will be limited if you do not use the updated version.
  • Incoming payment – Similar to the fake invoice. This time the email will claim that money has been deposited into your account only if you click the specific link.

Best Practices and tactics to avoid or detect a Phishing attack:

  • If you do not know who the sender is and you have doubts about the emails validity then do not open the email.
  • If you know the person you can contact them using another avenue of communication such as phone call or text to their direct line and confirm it was them who sent the email.
  • Never click on an unsolicited link inside of an email. Often it will be an enticing link socially engineered to make you click on it.
  • Double-check the sender address: Does the name on the email match the address. Often these addresses are used to send multiple emails and they often seem conspicuous.

What is Smishing?

Smishing involves tricking you to open a file or link, typically by a person of authority or trust (like the CEO, a parent, or an adult child of older users).

This is a scam that is text to phone based and involves social engineering to get you to click a link or open a hidden attachment that you would have not otherwise opened. They often pose as a business or figure of authority giving you a deal or alert prompting you with a timeline. Often a text message, but email-based smishing is very popular for corporate smishing attacks. Phone calls are more rare, but they can also happen in tandem with an email or text.

Some typical examples of Smishing Scams include:

  • An urgent message about your credit card. In big bold letters it will often prompt you with a dead line.
  • A security alert. Possibly appearing to be from your own security team.
  • A punishment, like the bank freezing your accounts.
  • Unusual account activity. Reporting that in order to check this activity you must open a new link.

Best Practices and tactics to avoid or detect a Smishing attack:

  • Check the phone number if it looks suspicious. They may now use numbers that look similar to yours or others you know.
  • Any weird wording or grammar used in the text that does not seem professional
  • You can always contact the company or business through their direct number. Often these companies are aware of the scams that are being delivered falsely on their behalf
  • Fake caller I’Ds: They will be a caller I’Ds that you know. But upon more scrutiny you will realize that the number is wrong and the I’D seems off.

What is Vishing?

 Vishing is a cyber crime using voice. Often it involves a time sensitive scam by an authority figure. A common Canadian example is scammers impersonating the “tax man”, like the CRA (or IRS is the US) and threatening legal action or imprisonment if you do not immediately take action.

Using phone calls, vishers will pose as someone with authority or a time sensitive deal being offered on behalf of the company. Sometimes they will even threaten jail time. That is an example of vishing. It is defined as someone using their speech tactics to ensnare you.

Some typical examples of Vishing Scams include:

  • Billing by a technical support service. Often prompting you to ask if something is wrong with your computer.
  • Alerts from a financial institution that you would be familiar with informing that your credit card or bank account needs attending to demanding your personal information from you.
  • Social Identification Number snatchers. They will pose as the government or your employer asking for your social security number.

Best Practices and tactics to avoid or detect a Vishing attack:

  • Don’t answer calls from unknown numbers
  • Never give credit card information over the phone, unless you have initiated the call and you know the financial institution/insurance company you are calling.
  • Do not feel rushed into giving credit card information over the phone.

We can help your business avoid these kinds of attacks.

Firstly and most importantly through training your team, and helping them be comfortable in avoiding these (they can trick almost anyone if your attention wanes). Secondly with the right tools, to detect, minimize, and stop attacks – should they get through your first line of defence. Contact us if you think we might be able to help!