Smishing & Vishing: What Are They, And How Can You Protect Against Them?

Smishing & Vishing: What Are They, And How Can You Protect Against Them?

A text message claiming to be from Microsoft Support, alerting you about an issue with your computer. An unfamiliar caller requesting that you verify your mailing address and credit card number so you can claim your free prize. An SMS message seeking your confirmation of an Amazon shipment. An urgent voicemail message from the IRS. These are all prime examples of smishing and vishing cyberattacks

Smartphones have become one of the most prevalent methods of contact for cybercriminals. Hackers know how attached we are to our phones and how difficult it can be to ignore the ping of a text message or the buzz of an incoming phone call.

Both smishing and vishing depend on social engineering to dupe victims into surrendering  personal information. Using persuasive and often urgent language, cybercriminals manipulate victims into revealing confidential data such as their bank account and credit card details, passwords, social security number, date of birth, and mailing address.

Victims are confident they’re doing the right thing by supplying this information. After all, the caller is warning them that they could face criminal prosecution from the IRS if they can’t validate their bank account details. And the text message guaranteeing delivery of a free prize states that the offer will expire in one hour unless the necessary bank account details are provided.

It’s important to be aware that cybercriminals set their sights on both individuals and organizations with these strategic smishing and vishing attacks. In many cases, cybercriminals will initially send spear-phishing emails in order to gather information that they will then use to deliver customized text messages and phone calls.

What Is Smishing?

Smishing, a shortened version of the term “SMS phishing,” is a type of cyberattack that utilizes misleading text messages – purported to be from reputable companies – to pilfer confidential and corporate information from users.

With compelling and alarming vocabulary, the text message may seek to threaten the victim with dire consequences if they don’t take action or try to persuade the victim that they would be helping the sender by providing the sought-after information.

Text messages are a particularly attractive technique for cybercriminals, as the evidence bears out the efficacy of the medium. Take into consideration these recent statistics concerning SMS marketing:

  • 98% of all text messages are read and opened
  • 90% of all text messages are read within 3 minutes
  • Text messages have a 209% higher response rate than phone calls, emails, and Facebook messages

To further simplify matters for cybercriminals, people generally have a very low awareness of smishing attacks. This unfamiliarity gives rise to a perilous environment where victims don’t think twice about clicking on embedded links, providing personal information, or directly responding to the hacker who’s texting them.

What Is Vishing?

Vishing, derived from the phrase “voice phishing,” is a form of  cyberattack that involves using the telephone to steal sensitive data from a person. Cybercriminals employ slick social engineering tactics to persuade victims to relinquish private information as well as access to bank accounts.

Hackers will frequently adapt the messaging of their vishing calls to the time of the year or try to establish a connection by leveraging trending news stories. For example, during tax season, cybercriminals might leave messages passing themselves off as representatives from the IRS. Additionally, since the onset of the COVID-19 pandemic, hackers have been calling people touting false promises of vaccinations or testing kits, if the victims would merely supply their bank account information and mailing address.

Like smishing, vishing attacks are used to appropriate data from both individuals and organizations. For example, a cybercriminal may check out an organization on LinkedIn and on the company website, gathering details about its leadership and employees, taking note of individuals who might be traveling or attending a conference. With this intelligence in hand, the cybercriminal then makes a string of strategic phone calls and voicemails attempting to prevail upon an employee to transfer funds on behalf of their manager who is traveling and is unable to access the network.

How to Safeguard Your Organization and Employees from Smishing and Vishing Attacks

With such a prominent focus on phishing, spear-phishing, malware, and even CEO fraud, it’s easy to disregard the threat of smishing and vishing. However, these types of approaches are standard methods of attack for cybercriminals who zero in on organizations and their employees.

To safeguard your organization and employees from smishing and vishing attacks, take heed of the following recommendations:

  • Reap the benefits of security awareness training programs that apply real-world examples of smishing and vishing attacks to illustrate how cybercriminals use text messaging and phone calls to perpetrate cyber-fraud.
  • Enable employees to easily report smishing and vishing attacks to you and your team.
  • If your company has a Bring Your Own Device (BYOD) policy, it’s crucial to establish rigorous procedures with respect to application updates, password protection, Wi-Fi connectivity, and observing recommended remote and mobile device cybersecurity best practices.
  • Conduct phishing simulations to evaluate and track employee awareness of the dangers of cyber-fraud. Harness this data to tailor your security awareness training and strive to concentrate on areas where your employees require further instruction.
  •  

Bear in mind, your employees are your first line of defense against smishing and vishing attacks. Direct your efforts toward providing employees with security awareness training that’s pertinent, progressive, and practical. When your employees recognize how easily smishing and vishing occur and can comprehend the implications of an effective attack, they’re more likely to keep a closer eye out for potential threats.

Final Thoughts

While no form of cyberattack can completely be prevented, being mindful of the signs can help mitigate the chances of its success. Having solid cybersecurity solutions in place for your organization can further protect against the ever-evolving techniques of cybercriminals.

To schedule a free IT assessment with DataGroup Technologies, please visit our website or call 252.329.1382 today!

Protect Your Business From Spear-Phishing Attacks With These 4 Helpful Hints

Protect Your Business from Spear-Phishing Attacks with These 4 Helpful Hints

Everyone who uses the internet has access to something that a hacker wants. To obtain it, hackers might level a targeted attack directly at you.

Likely objectives may include pilfering customer data in order to commit identity theft, gaining access to a company’s intellectual property for corporate espionage, or acquiring your personal income data in an attempt to steal your tax refund or file for unemployment benefits in your name. 

Targeted attacks, commonly referred to as spear-phishing, seek to fool you into volunteering  your login credentials or downloading malicious software.

Spear-phishing attacks often transpire over email. Hackers typically send a target an “URGENT” message, incorporating plausible-sounding information that’s unique to you – such as something that could have come from your tax returns, social media accounts, or credit card bills.

These schemes often include details that make the sender appear legitimate in order to get you to disregard any warning signs you might detect about the email.

In spite of corporate training and dire warnings to be cautious about who you give your password to, people still get duped by these tactics.

Another byproduct of falling for a spear-phishing scam could be inadvertently downloading malware such as ransomware. You might also be coerced into wiring funds to a cybercriminal’s account.

You can steer clear of the majority of spear-phishing scams by observing the following security measures.

 

Recognize the Basic Signs of Phishing Scams

Phishing emails, texts, and phone calls attempt to trick you into accessing a malicious website, surrendering a password, or downloading an infected file. 

This works particularly well in email attacks, since people often spend their entire day at work clicking on links and downloading files as part of their jobs. Hackers realize this, and try to exploit your natural tendency to click without thinking.

Thus, the number-one defense against phishing emails is to think twice before you click.

Check for indications that the sender is who they purport to be:

  • Look at the “From” field. Is the name of the person or business spelled correctly? Does the email address match the name of the sender, or are there all kinds of random characters in the email address instead?
  • Does the email address seem close, but a little bit off? (For example: Microsft.net or Microsoft.co.)
  • Hover over (don’t click!) any links in the email to scrutinize the actual URLs they will send you to. Do they seem to be legitimate?
  • Note the greeting. Does the sender call you by name? “Customer,” “Sir/Madam,” or the prefix of your email address (“pcutler35”) would be red flags.

Examine the email closely. Is it mostly free from spelling errors and unusual grammar?

Consider the tone of the message. Is it excessively urgent? Is its aim to urge you to do something that you normally wouldn’t?

Don’t Be Fooled By More Advanced Phishing Emails That Employ These Techniques

Even if an email passes the preliminary sniff test defined above, it could still be a ruse. A spear-phishing email might include your actual name, implement more masterful language, and even seem specific to you. It’s just a lot harder to distinguish. Then there are the targeted telephone calls, in which an unknown person or organization calls you and attempts to finagle you into relinquishing information or logging on to a shady website.

Since spear-phishing scams can be so crafty, there’s an added measure of protection you should take before responding to any request that arrives via email or phone. The most significant, preventative step you can take is to safeguard your password.

Never click on a link from your email to another website (real or fraudulent), then enter your account password. Simply log on to your account by manually typing the URL into a browser or access it via a trusted app on your mobile device. Never provide your password to anyone over the phone.

Financial institutions, internet service providers, and social media platforms generally make it a policy to never ask for your password in an email or phone call. Instead, log in to your account by manually typing the URL into your browser or access it via a trusted app on your preferred mobile device.

You can also call back the company’s customer service department to verify that the request is legitimate. Most banks, for example, will transmit secure messages through a separate inbox that you can only access when you’ve logged onto their website.

Combat Phishing By Calling the Sender

If an individual or organization sends you something they say is “IMPORTANT” for you to download, requests that you reset your account passwords, or solicits you to send a money order from company accounts, do not immediately comply. Call the sender of the message – your boss, your financial institution, or even the IRS – and make certain that they actually sent you the request.

If the request arrives by phone, it’s still appropriate to hesitate and corroborate. If the caller claims to be phoning from your bank, you’re well within your rights to inform them that you’re going to hang up and call back on the company’s main customer service line.

A phishing message will often attempt to make its inquiry appear extremely urgent, prompting you to forgo taking the extra step of calling the sender to double-check the veracity of the request. For instance, an email might state that your account has been jeopardized and you should reset your password as soon as possible, or perhaps that your account will be terminated unless you take action by the end of the day.

Don’t freak out! You can always justify taking a few extra minutes to validate a request that could cost you or your business financially, or even mar your reputation.

Lock Down Your Personal Information

Someone who wishes to spear-phish you has to obtain personal details about you in order to put their plan in motion. In some cases, your profile and job title on a company website might be sufficient to inform a hacker that you’re a worthwhile target, for whatever reason.

Alternatively, hackers can take advantage of information they’ve discovered about you as a result of data breaches. Unfortunately, there’s not much you can do about either of those things.

However, there are certain situations in which you may be divulging information about yourself that could supply hackers with all the data they need to proceed. This is a solid reason to refrain from posting every detail of your life on social media and to set your social accounts to “Private.

Finally, activate two-factor authentication on both your work and personal accounts. This method adds an extra step to the login process, meaning that hackers require more than simply your password in order to access confidential accounts. Thus, if you do end up inadvertently giving away your credentials in a phishing attack, hackers still won’t possess all they need to access your account and make trouble for you.

By taking these tactics to heart, you will be better prepared to avoid common online scams such as spear-phishing attacks.

Related Posts

Top Cybersecurity Trends For 2021

Top Cybersecurity Trends for 2021

Bell bottom pants, neon-colored everything, kale as a diet staple…. Trends come and go and, for the most part, we aren’t preoccupied with keeping tabs on whatever’s in fashion at the moment. But cybersecurity trends? That’s something we can certainly support!

So, what can we anticipate seeing as consumers, employees, employers, business owners, or merely members of the general public who regularly use computers?

At the time of this writing, we’re a quarter of the way through 2021. Let’s take a look at a few key cybersecurity trends we’re seeing so far.

Inside Jobs

There’s a disturbing phenomenon that is growing in popularity known as insider-threat-as-a-service (ITaaS). Yes, you can actually hire a disgruntled employee to undermine a business and compromise its data integrity by stealing information or destroying the business from the inside.

Managed services providers like us have been paying attention to ITaaS for longer than just the current year. But now that the entire hiring process for many remote employees is being conducted via video or other long-distance methods, it isn’t always a simple task to garner and build up the trust you might have commanded from years of sharing office space.

Fake IDs

Illegally obtained credentials can be utilized for more than securing a credit card. Sure, you can create an identity and establish credit – but you can take it a step further and concoct a history that doesn’t actually exist in relation to the person for whom it’s being created.

This is a significant progression from the aforementioned insider job that can occur; but it’s crucial to be aware of exactly who you’re hiring and to whom you’re providing your sensitive information.

Bigger Phish

With people being the number one risk to cybersecurity and working from home being common practice for many, an overall increase in cyberattacks can be anticipated.

Why? Because human beings are the quickest point of entry for any hacker, and unobserved humans are even easier to dupe. Subsequently, phishing scams will be even more widespread with regard to cyberattack attempts.

Final Thoughts

At the crux of any trend is the fact that it will ebb and flow in popularity over time. One trend that isn’t going anywhere, however, is the possibility of data breaches. While the outfit or the outward appearance may vary, an attempt is always made to disguise the true identity of the attacker.

The best-case scenario for any business to implement a solid cybersecurity plan designed to protect your systems and networks from external (or internal) intrusion, thereby ensuring smooth and uninterrupted business operations and securing your employees’ and customers’ vital data.

DataGroup Technologies, Inc. (DTI) can help you do just that! Reach out to us today by calling 252.329.1382 or visit our website to schedule a free IT assessment for your business.

Related Posts

Don’t Let Your Employees Become Your Biggest Vulnerability!

Don’t Let Your Employees Become Your Biggest Vulnerability

A couple of years ago, TechRepublic ran a story with the following headline: “Employees Are Almost As Dangerous to Business As Hackers and Cybercriminals.” From the perspective of the business, you might think that’s simply inaccurate. Your company strives to hire the best people it can find – people who are good at their jobs and would never dream of putting their own employer at risk.

And yet, many employees do – and it’s almost always unintentional. Your employees aren’t thinking of ways to compromise your network or trying to put malware or ransomware on company computers, but it happens. One Kaspersky study found that 52% of businesses recognize that their employees are “their biggest weakness in IT security.” 

Where does this weakness come from? It stems from several different things and varies from business to business – but a big chunk of it comes down to employee behavior.

Human Error

We all make mistakes. Unfortunately, some mistakes can have serious consequences. Here’s an example: an employee receives an e-mail from their boss. The boss wants the employee to buy several gift cards and then send the gift card codes to them as soon as possible. The message may say, “I trust you with this,” and work to build urgency within the employee.

The problem is that it’s fake. A scammer is using an e-mail address similar to what the manager, supervisor, or other company leader might use. It’s a phishing scam, and it works. While it doesn’t necessarily compromise your IT security internally, it showcases gaps in employee knowledge. 

Another common example, also through email, is for cybercriminals to send files or links that install malware on company computers. The criminals once again disguise the email as a legitimate message from someone within the company, a vendor, a bank, or another company the employee may be familiar with. 

It’s that familiarity that can trip up employees. All criminals have to do is add a sense of urgency, and the employee may click the link without giving more thought.

Carelessness

This happens when an employee clicks a link without thinking. It could be because the employee doesn’t have training to identify fraudulent e-mails or the company might not have a comprehensive IT security policy in place. 

Another form of carelessness is unsafe browsing habits. When employees browse the web – whether it’s for research or anything related to their job or for personal use – they should always do so in the safest way possible. Tell employees to avoid navigating to “bad” websites and to not click any link they can’t verify (such as ads). 

Bad websites are fairly subjective, but one thing any web user should look for is the presence of “https” at the beginning of any web address. The “s” tells you the site is secure. If that “s” is not there, the website lacks proper security. If you input sensitive data into that website – such as your name, e-mail address, contact information, or financial information – you cannot verify the security of that information, and it may end up in the hands of cybercriminals. 

Another example of carelessness is poor password management. It’s common for people to use simple passwords and to reuse those same passwords across multiple websites. If your employees are doing this, it can put your business at a huge risk. If hackers get ahold of any of those passwords, who knows what they might be able to access. A strict password policy is a must for every business.

Turn Weakness Into Strength

The best way to overcome the human weakness in your IT security is education. An IT security policy is a good start, but it must be enforced and understood. Employees need to know what behaviors are unacceptable, but they also need to be aware of the threats that exist. They need resources they can count on as threats arise so that they can be dealt with properly. Working with a trusted managed services provider or IT services firm may be the answer – they can help you lay the foundation to turn this weakness into a strength.

Final Thoughts

DataGroup Technologies provides businesses of all sizes with security awareness and best practices training. Our goal is to make sure that your staff can identify threats and remain proactive. Knowledge is power, and well-informed employees can serve as a human firewall for your organization. For more information about our security awareness training solutions, please call us at 252.329.1382 or drop us a line here!

Related Posts

How To Secure Your Business Website In 2022

How To Secure Your Business Website In 2022

If you have a booming business website that’s raking in profits and helping you establish your brand, that’s great! However, you still need to make sure your site is protected from hackers and trolls who might want to tarnish your image. To ensure continued success and prevent bad actors from appropriating your intellectual property, follow these tips to help better secure your business website.

What Is Business Email Compromise?

According to TechRepublic, business email compromise (BEC) is “a sophisticated scam that targets companies and individuals who perform legitimate transfer-of-funds requests.”

Through the use of social engineering or malware, cybercriminals will masquerade as one of the individuals involved in these money transfers to trick the victim into sending money to a bank account owned by the cybercriminal. Once the fraud is exposed, it’s often too late to recoup the money. Scammers are quick to relocate the money to other accounts and withdraw the cash or use it to buy cryptocurrencies.

However, the scam is not always associated with an unauthorized transfer of funds. One BEC variation involves compromising legitimate business email accounts and requesting personally identifiable information (PII), wage and tax settlement (W-2) forms, or even cryptocurrency wallets from recipients.

How to Protect Your Business Against BEC Attacks

In the public service announcement, the FBI offers several suggestions for businesses to adopt to better protect against business email compromise attacks.

  • Use secondary channels (such as phone calls) or multi-factor authentication to validate requests for any changes in account information.
  • Ensure that URLs in emails are associated with the businesses or individuals from which they claim to be originating.
  • Keep an eye out for hyperlinks that contain misspellings of the actual domain name.
  • Steer clear of providing login credentials or PII of any sort via email. Bear in mind that many emails requesting your personal information may appear to be legitimate.
  • Verify the email address used to send emails – especially when using a mobile or handheld device – by making sure the address appears to match that of the purported sender.
  • Enable settings on employees’ computers to allow full email extensions to be viewed.
  • Monitor your personal financial accounts routinely for irregularities, such as missing deposits.

What to Do If You or Your Company Should Fall Victim to a BEC Attack

According to TechRepublic, business email compromise (BEC) is “a sophisticated scam that targets companies and individuals who perform legitimate transfer-of-funds requests.”

Through the use of social engineering or malware, cybercriminals will masquerade as one of the individuals involved in these money transfers to trick the victim into sending money to a bank account owned by the cybercriminal. Once the fraud is exposed, it’s often too late to recoup the money. Scammers are quick to relocate the money to other accounts and withdraw the cash or use it to buy cryptocurrencies.

However, the scam is not always associated with an unauthorized transfer of funds. One BEC variation involves compromising legitimate business email accounts and requesting personally identifiable information (PII), wage and tax settlement (W-2) forms, or even cryptocurrency wallets from recipients.

What to Do If You or Your Company Should Fall Victim to a BEC Attack

Cybersecurity has never been more important. We live in an increasingly connected world, which enables cyberattackers to constantly find new ways to carry out digital attacks. Even the most vigilant business owners and IT managers can become overwhelmed with the stress of maintaining network security and protecting their data.

These increasingly advanced cyberattacks create unprecedented situations of data breach and money extortion. The tools that hackers use are getting smarter and stronger every day. If you’re not proactive about protecting your network, your business will become a target of cybersecurity attacks.

DataGroup Technologies, Inc. (DTI) offers a wide variety of cybersecurity services to help protect your business from cyberthreats, including security risk assessments, email security solutions, web/DNS filtering, next-generation firewalls, network security monitoring, operating systems/application security patches, antivirus software, and security awareness training. If you’re not 100% certain that your business is protected from cybercriminals, contact us today at 252.329.1382 or message us to find out more about how we can help #SimplifyIT!

Related Posts

Are You Protected Against Business Email Compromise Attacks?

Are You Protected Against Business Email Compromise Attacks?

On May 4th, 2022, the FBI published a public service announcement updating its warnings about the continuing threat of business email compromise, also known as CEO fraud. It’s a problem that has reached staggering proportions. Between June 2016 and December 2021, the FBI quantified 241,206 domestic and international incidents of business email compromise. The exposed dollar loss – including both actual and attempted losses – was more than $43 billion!

What Is Business Email Compromise?

According to TechRepublic, business email compromise (BEC) is “a sophisticated scam that targets companies and individuals who perform legitimate transfer-of-funds requests.”

Through the use of social engineering or malware, cybercriminals will masquerade as one of the individuals involved in these money transfers to trick the victim into sending money to a bank account owned by the cybercriminal. Once the fraud is exposed, it’s often too late to recoup the money. Scammers are quick to relocate the money to other accounts and withdraw the cash or use it to buy cryptocurrencies.

However, the scam is not always associated with an unauthorized transfer of funds. One BEC variation involves compromising legitimate business email accounts and requesting personally identifiable information (PII), wage and tax settlement (W-2) forms, or even cryptocurrency wallets from recipients.

How to Protect Your Business Against BEC Attacks

In the public service announcement, the FBI offers several suggestions for businesses to adopt to better protect against business email compromise attacks.

  • Use secondary channels (such as phone calls) or multi-factor authentication to validate requests for any changes in account information.
  • Ensure that URLs in emails are associated with the businesses or individuals from which they claim to be originating.
  • Keep an eye out for hyperlinks that contain misspellings of the actual domain name.
  • Steer clear of providing login credentials or PII of any sort via email. Bear in mind that many emails requesting your personal information may appear to be legitimate.
  • Verify the email address used to send emails – especially when using a mobile or handheld device – by making sure the address appears to match that of the purported sender.
  • Enable settings on employees’ computers to allow full email extensions to be viewed.
  • Monitor your personal financial accounts routinely for irregularities, such as missing deposits.

What to Do If You or Your Company Should Fall Victim to a BEC Attack

According to TechRepublic, business email compromise (BEC) is “a sophisticated scam that targets companies and individuals who perform legitimate transfer-of-funds requests.”

Through the use of social engineering or malware, cybercriminals will masquerade as one of the individuals involved in these money transfers to trick the victim into sending money to a bank account owned by the cybercriminal. Once the fraud is exposed, it’s often too late to recoup the money. Scammers are quick to relocate the money to other accounts and withdraw the cash or use it to buy cryptocurrencies.

However, the scam is not always associated with an unauthorized transfer of funds. One BEC variation involves compromising legitimate business email accounts and requesting personally identifiable information (PII), wage and tax settlement (W-2) forms, or even cryptocurrency wallets from recipients.

Final Thoughts

Cybersecurity has never been more important. We live in an increasingly connected world, which enables cyberattackers to constantly find new ways to carry out digital attacks. Even the most vigilant business owners and IT managers can become overwhelmed with the stress of maintaining network security and protecting their data.

These increasingly advanced cyberattacks create unprecedented situations of data breach and money extortion. The tools that hackers use are getting smarter and stronger every day. If you’re not proactive about protecting your network, your business will become a target of cybersecurity attacks.

DataGroup Technologies, Inc. (DTI) offers a wide variety of cybersecurity services to help protect your business from cyberthreats, including security risk assessments, email security solutions, web/DNS filtering, next-generation firewalls, network security monitoring, operating systems/application security patches, antivirus software, and security awareness training. If you’re not 100% certain that your business is protected from cybercriminals, contact us today at 252.329.1382 or message us to find out more about how we can help #SimplifyIT!

Related Posts