Phishing for Your Information: Smishing and Vishing Explained
Did you know that 85% of phishing attacks are happening over SMS messaging, gaming, social and productivity apps and over the phone? Continue reading to find out how you can protect yourself from smishing and vishing attacks and what to do if you’ve fallen for one.
Smishing
Smishing is a phishing scam that uses Short Message Service (SMS) that look and sound like they are coming from a trusted source. Smishes often contain URLs or malicious links that once clicked, will be used to steal whatever personal information you have entered.
Smishing attacks are on the rise since SMS does not require authentication beyond a phone number. This means that it’s up to the recipients of smishing attacks to determine whether the message is fraudulent or legitimate. What’s more, some organizations do send SMS messages from spoofed, borrowed or shared phone numbers, which makes spotting a smish even more difficult.
Unlike with phishing emails, URLs embedded in SMS messages can be hard to verify without accidently opening the link. Most URLs in smishing attacks are also shortened using common URL shorteners which adds an extra layer of difficultly in determining whether a text is a threat or legitimate.
Vishing
Vishing is a combination of “voice” and “phishing.” Spotting a vishing attack can be challenging as cybercriminals can use a modified caller ID that makes their number look like a familiar or trusted number. VoIP (Voice over Internet Protocol) technology is also common with vishing attacks with platforms like Skype or Zoom.
Many VoIP users don’t need to provide valid caller ID data, which makes committing fraud easy. However, law enforcement and judicial systems are aware of vishing attacks and are actively seeking to inform the public of this potential threat and track down cybercriminals. Earlier this year, both the FBI and the CISA issued an alert warning folks of the dangers of vishing attacks. They also noted that cybercriminals are going through targeted employees’ social media, and other publicly accessible information in order to make more convincing vishing attacks.
What Cybercriminals Want you to Do
Like other phishing attacks, cybercriminals who craft smishes and vishes are hoping that you react quickly without fully considering the situation and give away your personal information. These attacks are generated to play on your emotions and have you react out of fear, surprise or anger among other emotions. The best thing you can do to protect yourself is to stop and think before you react.
Popular Smishing and Vishing Attacks
Smishing – Job Opportunity Scam: Many phishing scams prey on folks who are looking for a job. Popular examples of scams that have been reported to the Canadian Anti-Fraud Centre include:
- Car wrapping
- Counterfeit cheque
- Financial agent
- Mystery shopper
All of these scams involve depositing a counterfeit cheque into your personal bank account and then depositing funds into a fraudulent bank account. With the car wrapping scam, the attacker sends a message that you can earn money by wrapping your vehicle with a “company” logo. If you respond to the smish, then you receive further instructions and the counterfeit cheque in the mail. The mystery shopper and counterfeit cheque scams work similarly, although with the mystery shopper scam you may be asked to purchase pre-paid cards or gift cards in addition to depositing the counterfeit cheque. The financial agent scam has you receive money from compromised accounts or other fraud victims into your personal account. You are then directed to deposit the money, often via Bitcoin, to a company representative. This scam is especially dangerous as you can be arrested for money laundering.
Vishing – Taxpayer or Canada Revenue Agency Scam: For this vishing scam, the cybercriminal will claim to either work for the CRA or Service Canada and will claim that one or more of the following has occurred to your account:
- A compromised SIN number
- Outstanding case against you
- Owe back taxes
- Have unpaid balances
- Committed a financial crime
The caller will usually prey on your fear that something terrible has happened because of your compromised SIN number, or that you have unknowingly committed a financial crime. Attackers use this fear to demand that you disclose sensitive information to them or else risk being arrested, deported or fined. Typically, payment is requested via pre-paid cards or gift cards, Bitcoin or money service business.
The CAFC has a detailed list of reported phishing scams that can be found here.
How to Protect Yourself from Smishing and Vishing Attacks
There are many ways that you can protect yourself from smishing and vishing attacks. Here are the top three ways you can avoid falling victim to smishes and vishes:
- Use Common Sense: Stop and think before replying or answering voice messages, texts or emails. Remember that cybercriminals want you to act fast without thinking – they count on it in fact!
- Don’t Answer: If you receive a call from a number that is blocked, unknown or suspicious sounding – don’t answer it! By not answering or hanging-up on a call you are protecting your private information and thwarting cybercriminals who want to steal it.
- Report: In the US, the Federal Trade Commission makes it easy to report telephone scams. In Canada, if you’ve fallen for a scam, fraud or cybercrime, contact your local police. You are also encouraged to report an instance of scam, fraud or cybercrime by filing a report with the Canadian Anti-Fraud Centre.
In Canada, most cybercrimes and frauds are not reported to the police. In 2020, the RCMP began pilot testing on a new cybercrime and fraud reporting system that is scheduled to be fully operational in 2023-2024. This new system will allow investigators to make links between similar reports, identify and prioritize reported threats and incidents as well as coordinate investigations nationally and internationally.