Smishing, Vishing, Spear-phishing - why these types of cyber attacks happen and what can you do

Most of the data breaches we hear about on the news are executed to extract money or personal information from its targets. In 2016, the Democratic National Committee was hacked by the Russian government, resulting in the release of tens of thousands of emails and the manipulation of our country’s democratic elections. This act didn’t take an army of hackers, hurriedly typing, attempting to break through one firewall after another. Russian hackers simply crafted and sent emails to specific people, for example, Chairman John Podesta, tricking them into believing that the email was from Google. This allowed hackers to obtain their login and password credentials. This breach was enacted through a tactic called spear-phishing. And this is just one type of social engineering tactic used to con millions of dollars annually. 

What are Smishing, Vishing, and Spear-Phishing?

Phishing is a social engineering tactic used by hackers to obtain sensitive data, such as financial information or login details. Attackers send fraudulent emails, disguised as legitimate emails from a trustworthy institution, in order to deceive targets into giving personal information. Smishing, vishing, and spear-fishing are derivatives of phishing, each utilizing either different means of communication or different targeting schemes. Smishing uses SMS messages and texts to mislead targets, and vishing uses communication via phone to trick victims. Both use the guise of legitimate organizations to cheat their targets.

Why Do Hackers Use These Types of Attacks?

Hackers use these types of attacks because they have higher success rates than typical methods of hacking, while typically requiring less expertise to execute. For these reasons, the frequency of phishing attacks, as well as smishing, vishing, and spear-phishing attacks are increasing. 

Hackers have placed great emphasis on smishing because text messages have approximately a 98% open rate and a 45% response rate, statistics much higher than other mediums of communication. According to the Verizon 2020 Mobile Security Index report, 39% of companies suffered a mobile-related security compromise, and 85% of attacks seen on mobile devices now take place via mediums other than email. Proofpoint's 2020 State of the Phish Report indicates that approximately 84% of organizations faced smishing attacks.

Vishing attacks have also been on the rise recently. CSO Online reports that in 2018, vishing calls represented roughly 30% of all phone calls. Though the website notes that only 6% of victims lose money, the average amount is almost $1000. Vishing can be particularly persuasive though. The same report comments that 75% of scam victims said that vishers, or the perpetrators of vishing attacks, have key pieces of personal knowledge, which allow them to target and exploit the victims. 

Spear-phishing has become increasingly inviting as well, as spear-phishing campaigns targeting employees increased by 55% in 2016 as reported by the 2016 Symantec Internet Security Threat Report. The same report states that even now, 65% of attackers use spear-phishing as a primary mode of infection. Targeting specific people, oftentimes people with great power, influence, or wealth, can allow for great benefits. 

Overall, these forms of phishing can result in chaos and require significant sums to rectify. Successful phishing attacks cost an average of $3.86 million according to Norton. Spear-phishing emails can sometimes cost more. Small Business Trends says that spear-phishing payouts average $7.2 million. Some have to pay more. In 2015, 78.8 million health plan records were stolen from Anthem as a result of an employee responding to a spear-phishing email. Anthem had to pay 16 million dollars to the Office for Civil Rights (OCR) and settle a class-action suit for $115 million. 

WEBINAR ON DEMAND - CLICK ON IMAGE TO VIEW WEBINAR

What Can Businesses Do to Protect Themselves?

Businesses should train their employees to recognize the hallmarks of classic social engineering strategies. Employees should always have a healthy level of suspicion when reading their emails and texts, or while answering the phone.

For SMS messages and texts, employees should:

• Never click on unknown messages or links. If in doubt, verify the authenticity of the link by contacting the sender through some other means, not by responding to that email or text.
• Never reply to messages regarding financial or regulated information.
• Never reply to a message urging a quick reply.
• Never reply to messages from phone numbers with the number “5000”. 5000 is tied to email-to-text services and is a method for social engineers to mask their phone numbers. 
• Confirm with associates and businesses related to message before proceeding. 

Regarding phone calls, employees should: 

• Be cautious when answering calls from unfamiliar or unknown phone numbers.  If it turns out to be a spam call, you can block that number from calling you again. In the US, the Federal Communications Commission (FCC) offers suggestions here on how to implement call blocking.
• Block robocalls. If you pick up the phone and you get a recorded message instead of a live person, that's a robocall. Many companies use auto dialers and recorded messages to deliver offers like vacation packages, reduced electricity bills, elimination of credit card debt and such potentially fraudulent schemes. The Better Business Bureau offers some excellent tips on how to spot and stop robocalls. 
• Sign up for the Do Not Call Registry if you are in a country which has one.  If you are in the US, visit this page on the Federal Trade Commission (FTC) website to learn how to include your number on the National Do Not Call Registry. 
• Never share sensitive information over the phone without confirming or double-confirming the identity of the caller.  For instance, if a caller asks you to make a payment on the phone that you know you need to make, ask him or her if you can call the company's main published number and get transferred to the right department to make the payment.  If the caller refuses to give you that option, there is something "phishy" about the call! 

Regarding spear-phishing, employees should: 

• Encrypt all sensitive company information.  The company should ideally have encryption tools implemented to protect sensitive data.
• Regularly update systems, ensuring compliance with the latest security standards.
• Enact multi-factor authorization whenever possible. Multi-factor authorization requires two pieces of identification in order to access data, which makes it far more difficult for hackers to imperil data. 
• Carefully examine all suspicious emails to avoid potential threats. 

Essentially, smishing, vishing, and spear-phishing are becoming increasingly popular tactics for hackers to breach companies’ critical systems. Though typical phishing strategies are still very commonly used, many companies have properly trained employees to recognize and avoid phishing emails. For this reason, attackers are relying more and more on smishing, vishing, and spear-phishing. Though these attacks appear to be difficult to detect, it is quite the opposite. There are some clear indications that a message, call, or email is a social engineering attack. Businesses should train their staff to recognize the hallmarks of smishing, vishing, and spear-phishing, and implement procedures to reduce the probability of a successful social engineering attack. 

Cybersecurity awareness training should not only be about providing classroom or virtual training to employees once in a year or once in 6 months, but should also include periodic reminders, tips, quizzes, etc. to keep cyber attacks and protection top of mind for employees.