Shop
myPOS blog Tips

Vishing and Phishing: How to Prevent Malicious Attacks

Tips / 11.11.2021

Our reliance on the Internet and mobile technology today is so high that we can barely imagine living our lives without all that these solutions have to offer.

Yet, there are individuals with malicious intent who are keen to exploit your online vulnerabilities with the aim of gaining access to sensitive data. Today, there are multiple types of attacks that enable a fake caller or a hacker to trick victims, obtain sensitive information (like personal or financial information such as logins, passwords, and payment details), and use it to their advantage.

Needless to say, the risks posed are serious and can have disastrous consequences. 

In the following sections, we will dive deep into various malicious attacks such as phishing and smishing. We will also learn how to prevent vishing and how to protect ourselves from suspicious online activities. 

Table of Contents:

  1. The Numbers Behind Phishing and Vishing Schemes
  2. Phishing
  3. Vishing
  4. Smishing
  5. How to Prevent Vishing and Other Malicious Attacks
  6. Conclusion

The Numbers Behind Phishing and Vishing Schemes

In 2020, 75% of organisations globally experienced a phishing attack according to Proofpoint.

If this is not a staggering enough fact, think about this: a fifth of all employees in an organisation are likely to click on a phishing email link. 

What’s even scarier is that 67.5% of employees will enter their credentials on a phishing website, according to a 2020 Terranova Security research. This has led to so much fear and concern to such an extent that nearly a third of business owners were worried about being targeted by cyber attacks in 2021, in terms of BDO.

When social engineering attacks come into play, they can have serious consequences for an organisation. These include both internal and external downtime with customers, damage to an organisation’s reputation, as well as loss of intellectual property and remediation time or time needed to recover from such an attack.

In addition, significant monetary losses can be experienced as a result of social engineering techniques. The damages can include costs associated with response and remediation, loss of revenue, compliance fines, legal fees and possibly also the loss of customers. 

All these make for very strong reasons to ensure you protect yourself from phishing and other malicious attacks to prevent you from falling victim to fraudulent schemes. 

But first of all, what is phishing and vishing, and what types of other attacks can you be exposed to? Let’s take a closer look.

Phishing

Phishing is a type of social engineering attack which operates via an email sent to users or potential victims. This email appears to come from a legitimate organisation, but is in actual fact a fraud.

Its purpose is to gain valuable personal details from the target in order to gain access to their computer or other sensitive systems, infect them, and steal information that will give them access to your sources of finance and more. 

Here are some of the most common phishing attacks.

Deceptive Phishing

Deceptive phishing attacks can include a fake email from a bank which asks you to click on a link or verify your account details

By doing this, the cyber fraudster will gain access to your account details and will be able to steal money from you or launch other attacks. Its main purpose is to obtain confidential information. 

Spear Phishing

In the case of spear phishing, the attacker typically targets specific individuals instead of a wider group. Usually, they present themselves as part of legitimate organisations like financial institutions, government agencies, or others. 

They research the victims beforehand and use information from their social media channels and other sites to make their communication more believable. 

Whaling

A whaling attack is usually targeted at top-level executives and CEOs. The attacker will usually profile their target in an effort to get them to reveal their login credentials or gain access to bank accounts.

This is highly problematic because these executives often have access to a wide range of company information.

Pharming

Here, the attacker sends the victim to a fraudulent website, even though it may appear to look legitimate. 

This method is particularly troublesome as victims don’t even have to click on a malicious link to be taken to the fake website. The attacker can do one of two things to achieve this goal – either infect the user’s computer or the website’s DNS server in order to redirect the user to the fake website. This is the case even if the right URL is entered.

Other examples of phishing

From advance fees to a message from your company, phishing attacks can take various forms and the attackers can get quite creative. 

Some more notable examples of phishing include: 

  • Receiving a fake invoice: this type of scam depends on fear and urgency, placing pressure on the victim to submit a payment for something they’ve not ordered or even received. 
  • Upgrade your email account: whether from your company’s IT department, Google or Microsoft, these types of emails require the user to take immediate action to prevent their account from expiring. 
  • The scam for advance fees: we’ve all heard of foreigners who need to recover a large amount of money with your help. Although we might feel as though we can recognise these types of scams, there are still people out there who are susceptible to them.
  • Google Docs: this scam is particularly troublesome as the sender can sometimes appear to be someone you know. In the email, you will be encouraged to click on a link to view a document. The link then takes you to a login page that’s nearly identical to the Gmail login page. Once you’ve selected an account, you can give access to your Google account, which ultimately means you have let the attacker in.
  • Messages from HR: these types of emails generally contain a malicious attachment that will install malicious software on your device if you click on it. To prevent this, double-check with HR whether they have, in fact, sent you an email of this nature. If not, do not click on any links.
  • Dropbox: this is a platform for online sharing and storage and with this attack, users are typically asked to click on a link which will take them to the Dropbox lookalike login page where they’re required to enter their details. 
  • Council taxes: this is a scam that tries to get users to give away their details by offering some form of compensation or refund. Ultimately, this can seem attractive to many people and they are then duped into clicking on links and entering their personal information which the scammer can now have access to.

One of the most commonly encountered potential security red flags is unusual activity in email accounts. An unusual activity email is generally bound to cause panic and urgency, leaving users feeling that the only option they have in order to protect their account is by doing what the email says.

Vishing

Vishing

Phone-based phishing, also known as vishing or voice phishing, is another common type of attack via a regular phone line.

In this case, the attacker pretends to be from a legitimate business or financial institution. During the vishing scam, the caller deceitfully calls from the same area code as the victim and claims that something is awry and that they need to take certain steps to protect themselves from loss of data. 

Usually, via unsolicited phone calls, vishing scammers require information over the phone (like an account number, card number, social security number, password, or other) in order to verify your account. 

In other cases, positive psychology will be used to let you know that you’ve won something or that you’re getting good news and you’ll then be asked to provide personal information to receive the prize.

Some of the most popular vishing techniques include:

  • Caller ID spoofing: vishing schemes, where the caller’s identity is tampered with, making it appear as if the unsolicited call is coming from a bank, government institution, or the victim’s employer. 
  • AI vishing: vishing attempts that rely on AI technology in the form of voice tools with the aim of creating a trustworthy voice model. Via AI, the scammers can perform a successful attack by using voice recordings to perform a live conversation with the victim.
  • Robocall: one of the common vishing scams where attackers utilise computer-generated voice software and automated messages. Although there’s no adaptive element in this type of attack, it’s still incredibly successful.
  • VoIP (Voice over Internet Protocol): this vishing attack relies on technology that enables attackers to generate thousands of phone numbers, making the scheme much larger. 
  • Voicemail scam: vishing attackers leave voicemails for the victim to hear. It can be successfully combined with a phishing attack, where attackers reach out to businesses with a voice-to-text instrument and send out malicious emails with a link to a voicemail.
  • Client call: a phone scam where the attacker pretends to be a business that has sent an invoice to the victim’s business and requires payment. 

These are just a few examples of vishing schemes. 

However, many of them rely on tricking victims into the scam by citing a legitimate organisation or impostering a government agent. Some attackers will choose to represent a government agency, your local healthcare organisation or social security administration. Others could focus on banking scams, while there are those who will offer unsolicited investment opportunities or loan offers.

We’ll explore ways for preventing vishing attacks later on in this article. 

Smishing

Also known as SMS-phishing, smishing is an attack where instead of making unsolicited calls, attackers try to get you to take actions that are harmful to you by sending you text messages on your phone.

There are a couple of methods typically used for smishing:

  • Ask you to download a malicious app: by downloading such apps on your mobile device, they can deploy ransomware or enable other attackers to remotely control your device. 
  • Clicking on a malicious link: you could be tricked into clicking on a malicious link, which will then redirect you to a website that is designed with the sole purpose of stealing your personal information.

Regardless of which tactic is employed, you’renext asked to contact tech support where you’re given a number to call for customer support. The person will then act as though they are legitimately from the customer support service and will try to trick you into giving out your personal information once again.

Depending on the way the smishing attack is conducted, it could lead to notable damages such as serious bank account issues with the victim’s account number being compromised and more. 

How to Prevent Vishing and Other Malicious Attacks

So what security measures can you take to protect yourself? Are there any ways to detect suspicious activity, payment fraud or identity theft on time?

Here are a few suggestions that can help you stay safe.

Use Spam Filters in Your Email

One of the best ways to protect yourself and your business against phishing attacks is to rely on spam filters in your email.

This will guarantee that emails are analysed and checked before they reach your inbox. Spam filters will verify the sender’s authenticity, identify phishing patterns, and automatically scan attachments and links.

Install Antivirus Software on Your Devices

Another highly recommended step to take is to invest in reliable antivirus software on all of your connected devices. 

By doing so, you can rest assured knowing that any threat coming your way will be detected and you’ll be notified on time, allowing you to prevent the worst-case scenario. 

Change Your Passwords Regularly

People are commonly hesitant to change passwords mostly due to worries associated with forgetting. However, changing your passwords regularly is the best way to ensure that your data is protected

Moreover, avoid using the same password for multiple accounts. In addition, use the CAPTCHA system for extra security.

Always Contact the Company Directly

Once you receive an email or call from an institution, organisation, or business, always ask yourself if you were expecting this message from the sender or caller. Perhaps this notification is out of the blue, which can be a strong signal for suspicion. 

Contact the company directly by using a phone number listed on their legitimate website to verify.

Look Out for Red Flags in Emails

Luckily, there are several red flags that you can quickly and easily detect when it comes to phishing attacks. 

Here are some of the signs you should look out for in email phishing attacks:

  • Check whether the email contains links and attachments.
  • See if the email was sent to other people that you don’t know personally or haven’t heard of before.
  • Check hyperlinks for spelling errors.
  • Check the date and time on which you received the email – is it within business hours or during an odd period of the day or night?
  • Check whether the email’s subject line and the body of the email do not match each other.
  • Check for attachments and determine whether you were expecting such an attachment in the first place.
  • Check for urgency and efforts to get you to panic as well as take urgent steps to provide personal information.
  • Check the email for grammar and spelling errors.

If you notice something suspicious, think twice before taking action, Reach out to the sender to verify their authenticity and avoid sharing sensitive information.

Look for SSL Certification

If you receive a link in an email, hover over the URL first. 

Secure websites use SSL certificates that start with “https” where the “s” stands for secure.

Invest in Security Awareness Training

Finally, it’s always a plus to invest in advanced and reliable security awareness training.

This will ensure that all of the teams within your business are on the same page when it comes to safety and protection. 

As a result, you’ll be a step ahead of other potential victims, doubling your chances of spotting an attack before it’s too late

Conclusion

Phishing and social engineering attacks in the world are on the rise. This is why vigilance is necessary by every employee and individual to help them avoid smishing and vishing attacks, loss of personal data, funds and even a loss in organisational reputation.

There are many ways you can protect yourself, as you are the first instance of protecting your organisation from such attacks. By following the above-mentioned tips, you should be on your way to keep your data and that of your company safe and protected.

However, constant vigilance is required as attackers can continue to try and get your information in innovative ways. Therefore, be aware of every single email, SMS or call that you receive.

If in doubt, hang up, don’t click on anything suspicious and seek professional assistance from your IT department.

Marin Penchev

Author

Marin Penchev

Related posts

Cookie

Select your cookie preference

We use two types of cookies - Necessary and Personalisation cookies. Necessary cookies are stored and processed in order to ensure you can access our website and view all its content in a bug-free and seamless manner, while Personalization cookies help us to provide you with more relevant content. If you continue using this website without clicking on the accept button below, we will not store or process any Personalization cookies for you. You can manage the way you interact with our cookies anytime by clicking on the cookie settings in the footer or the “Customize Cookies” button below.

You will find more information, including a list of each type of cookie, its purpose and storage duration, in our Cookies Policy.