Phishing, vishing and smishing attacks – what are they and how can I spot them?
What is phishing
Phishing is the most common type of social engineering attack where cyber criminals trick victims into revealing personal information and/or installing malware onto their devices.
Different types of phishing
Mass-market phishing is the most common type of phishing. This is where cyber criminals send out a wide net of attacks. They contain little personalisation and will usually pose as a large corporation.
Spear phishing is a highly targeted type of phishing which is tailored to a specific victim or group of victims using personal data. This data is often stolen or found prior to the attack.
Whaling is a specialised type of spear phishing, it’s a personalised attack aimed at figures of authority in a company such as the CEO or CFO. Usually, the cyber criminal is looking to steal their login details so that they can impersonate them and authorise or direct payments.
Other methods of phishing
Phishing is the generic term for email-based attacks but there’s also…
Vishing is a term used for voice phishing, this is where the criminal contacts the victim via a phone call.
Smishing is a term used for SMS phishing, this is where a cyber criminal uses text messaging or other direct messages rather than email to encourage the victim into taking action.
Ways you can recognise a phishing email
The sender address
An indicator of a phishing email can be the use of a public email domain for example @gmail.com. Most companies, except some small operations, will use their own email domain, for example here at Geeks we have @geeks.co.uk. However, cyber criminal’s can also use impersonation, although the domain will have inaccuracies such as @geeks-it-support.co.uk rather than @geeks.co.uk.
A generic greeting
With a mass-market phishing attack, the email will generally not be personalised and may have a generic greeting such as ‘dear valued member’ or use your email address to guess your name e.g., ‘hi john.smith.’
Microsoft Outlook can apply an unverified sender alert which looks like this:
An unprofessional tone
An email from a large company is often thoroughly checked before it is sent out, therefore if the email contains an unprofessional tone and/or errors, it is right to be suspicious.
The URL does not match the link text
If you suspect an email may be phishing, you can hover your cursor over the link text and it will reveal the hyperlink, often the written URL appears valid, but the hyperlink could be completely different, if this is the case, then it might be suspicious.
The email requests sensitive information
If an unexpected email is requesting sensitive information, it’s best practice to contact the sender directly to confirm.
The email creates a sense of urgency
Phishing emails often ask the recipient to act fast otherwise action will be taken, take your time to assess the email as it may be suspicious.
Ways you can recognise vishing
The caller creates a sense of urgency
With a vishing attack, the caller will often create a sense of urgency and/or fear, for example saying that your account has been compromised and you need to act quickly. Sometimes they may offer prizes or offers which sound too good to be true.
The caller asks for personal details
The caller may ask for you to confirm some personal details such as your address, bank information and more. They may already have some genuine information such as your name and address to make you believe they are who they say they are. If a caller is asking you for personal information, it is right to be sceptical.
Ways you can recognise smishing
You haven’t subscribed to contact via text
Numbers can be faked as though it is from a legitimate individual or company, however, if you haven’t signed up to receive text messages from that company, it may be an SMS phishing attack. Sometimes, cyber criminals may already have some genuine information which they use to make their message appear more believable, for example the last 4 digits of your card number.
The message creates a sense of urgency
SMS phishing attacks can use the sense of urgency to encourage victims to click links, this can be in the form of a fear tactic or financial gain which is time limited.
The message includes an unknown URL or number
Phishing messages usually include a link to follow or a number to call to carry out the attack, don’t click the URL or call the number if you suspect it may be phishing, check the URL points to the official domain of the company or the number matches that of one of the company’s official contact numbers.
How to stay safe from phishing attacks
If you receive contact which you believe could be phishing, don’t click any links or attachments or respond with phone buttons and voice commands for vishing attacks. Phishing attacks rely on the victim to take action. Assess the situation using the points above.
Verify the sender directly
If you are not sure whether the message is suspicious or not, contact the company they claim to be from directly. Most large organisations have a company number on their website which you can call to verify whether the communications are from them or not.
Report any suspected phishing attacks to your IT support company
Our customers can report any potential phishing attacks to our service desk, our service desk can take a look and verify whether the message is legitimate, if required, one of our engineers can see if there is any unusual activity taking place on their systems and support the user/s with any necessary next steps.
Strengthen your cyber security
There are some great cyber security features you can get to protect your company from cybercrime, such as multifactor authentication (MFA), advanced email security and backups. Here at Computer Geeks, we provide all these through Geeks 365 secure which better secures your core cloud services, all of these are also present in our Geeks Cloud Solution.