Continuing the trail of our social engineering series, we will discuss the two most prolific and emerging phishing tactics – vishing and SMiShing in this blog.
Through this post, we offer you an insight into the nuances of the two infamous methods and the conventional attack vectors they use alongside a set of simple-to-follow tips to protect your network.
Cyber-attacks exploiting social engineering techniques are not new. Cybercriminals practice a variety of methods to lure victims. And SMiShing and vishing are emerging as the most common and popular infection vector for quite a few years. Though the operation process of both the attack methods is quite simple, they are quite impactful in stealing our data. In reality, many of us have already experienced similar attacks at some point in our life.
What is SMiShing?
SMiShing or SMS phishing is a devious process to gain information. It gets leveraged through messages via SMS, MMS, social messenger, or instant messengers like WhatsApp. In contrast, vishing or voice phishing schemes get pitched through voice calls over a telephone or VOIP connection.
SMiShing has grown exponentially over the past few years following the popularity of Internet-connected phones across the world. However, vishing has been there for decades, but with time, it has transformed itself into a lethal tool to hack into people’s lives.
Interestingly, both the methods bank on human emotion and involve numerous manipulation techniques to compel its victims to take urgent action.
Read More: Social Engineering And The Psychology Of Falling Prey To Cybercriminals
Real Life SMiShing Scenario
Through SMiShing or SMS phishing, cybercriminals send authentic-looking fake messages and embed a malicious URL or an email address. The content usually reads convincing and authentic to compel the user to respond to the threat actor’s intension.
For example, the latest SMS in my phone inbox via a regular number reads as, “CONGRATULATIONS! YOUR WHATS APP NO HAS WON RS2 CRORE 75 LAKH IN THE WHATSAPP GLOBAL AWARD 2020. TO CLAIM, SEND NAME:ADD:MOB NO:JOB:AGE: TO rbidelhi@rbigov.org.in.“
For better understanding, I have kept the exact caps sequence and the spelling used on the message. With such alluring words, users with limited cybersecurity knowledge might feel compelled to follow through with the fraudsters’ instruction.
If you pay attention to the message in detail, you can find several discrepancies such as-
- Why should WhatsApp spell its name wrong? It’s WhatsApp after all, not WHATS-APP.
- Nobody sends a message in all caps.
- An official message usually maintains proper grammar and spaces in between.
- Why the heck would RBI (Reserve Bank of India) be interested in the unbeknownst WhatsApp Global Awards 2020?
- If you miss these primary symptoms of a phishing message, a basic web search about RBI (Reserve Bank of India) would tell you that the RBI’s official domain name is rbi.org.in and not rbigov(.)org(.)in as mentioned in the message.
Unlike the example mentioned above, many modern smishing messages maintain authenticity through zero typos or grammar mistakes. Even so, you should carefully inspect and read through each message before following any instructions. If the message holds a shortened URL or a fishy email ID, delete it or report and block the number.
Read More: Everything You Should Know About Phishing
Social Forwards
Unfortunately, Smishing messages do not limit themselves to text messages only.
Following the popularity of social media and instant messengers, cybercriminals have become quite active in various other platforms, looking for potential victims.
Unlike SMS-based smishing methods, social media-based smishing messages tempt the recipients to forward an alluring message loaded with sarcastic, humorous, or shocking content.
The Murky Lanes of Vishing
Vishing or voice phishing is an effective and active social engineering technique. Vishing schemes often used to obtain the necessary information to infiltrate into an Enterprise network. Like SMiShing, vishing activities, too, are spreading fast across social media platforms.
For example, a few months ago, a voice call was doing the rounds in WhatsApp. The caller pretended to be an official representative from the Amitabh Bacchan hosted game show KBC (Kaun Banega Crorepati), and congratulating random WhatsApp users with winning a lottery of INR 25 Lakh. In order to transfer the prize money, the fraudster sought bank account numbers and a photograph of the bank debit card.
In 2019, a cybercriminal mimicked a CEO’s voice using an artificial intelligence software and asked its employees to transfer a fund worth roughly $ 243,000 to a fraudulent account. The artificial intelligence technique used in the attack is called Deepfake, which can impersonate anybody’s voice using a one-minute voice file of the victim.
Ways to protect yourself from smishing and vishing
- If you come across any finance-related frauds, report the incident to Anti-fraud cell India on 8585063104.
- Never entertain any messages or calls from unacquainted persons.
- Read every incoming message from any banking, game show awards, or large enterprises.
- Lookup for the URL, email ID, and phone numbers you receive using an online search before clicking on it.
- Never call back on the fraudulent message sender. Blocking the number could prevent the person from sending similar messages or place a call from the same number.
- Large enterprises seldom obtain information from their customers via phone calls or emails.
- Double-check the authenticity of the sender or caller before passing on your valuable personal or financial information.
- SOHOs, SMEs, and Enterprises should be watchful about the new and emerging attack vectors and upgrade its defense strategy accordingly.
- Embrace a cybersecurity awareness program for all your employees.