Vishing & Smishing: Old Ploy, New Tricks


VshingHuman beings have long been the weakest link in your cybersecurity chain. So, it may not surprise you when experts say that up to 98% of all cyberattacks rely on social engineering–the dark art of inducing (then leveraging) predictable human responses to trick people into handing over sensitive information.

Ten years ago, research firm Gartner warned the world that “Social engineering is the single greatest security risk in the decade ahead.” Today, two such social ruses on a meteoric rise include vishing and smishing, dangerous variants of the widely rued phishing cyberattack. Vishing (shorthand for ‘voice phishing’) targets mobile users and those who use VoIP services. Sometimes, crooks use fake caller ID–and even unwitting call centers and answering services to enable their scam. They impersonate legitimate companies or individuals, leaving bogus voicemail-callback requests. The goal, of course, is to fool victims into parting with credit card info, account sign-ups, birthdays or other highly personal data. Recently, the ploy’s destructiveness increased exponentially, as fraudsters (for the first time on record) used AI software to ‘deepfake’ a company leader’s voice and dupe a subsidiary’s CEO into wiring their criminal surrogates a cool $243,000.

Then there’s smishing (SMS phishing), a mobile device assault which uses Short Message Services or texting as its attack vector. Smishers’ objectives, however, can differ. “Just like email phishing scams, smishing messages typically include a threat or enticement to click a link or call a number and give out sensitive information,” warns CSO Online. They might also instruct users to install ‘security’ or other software on the device, which, of course, is usually malware.

So, how can you and your employees avoid being victimized by social engineering? “Always err on the side of caution,” CSO Online advises. “Trusting no one [and teaching others the same] is a good place to start.” Experts at KnowBe4 add that “Common sense is a general best practice and should be an individual’s first line of defense against fraud. Don't trust any message that asks you to reveal personal information and don’t click on unsolicited links.” These nuggets of wisdom, and others like them, highlight the vital importance of having a culture of security awareness, built on regular training, open communication, and committed leadership.

For best-practice based support in any area of social-engineering, including training, contact TeamLogic IT today.