Cyber Security Blog - Cyber Tec Security

Phishing, Vishing and Smishing: What’s the Difference?

Written by Ella Taylor | Nov 16, 2021

To the untrained eye, these words might look like gibberish, but in reality, these are cyber threats that can be quite damaging. In fact, it's very likely that each and every one of you reading this has been affected in some way by one or more of them. 

Let’s take a deep dive into each of these cyber threats and establish the key differences…

 

Phishing 

Ok, so you’ve probably heard of phishing. Think Nigerian princes and HMRC lawsuits. Go ahead and check your junk folder now and you’ll probably see enough spam emails to fill a library! 

Phishing is generally associated with fraudulent emails, whereby an unsuspecting victim is targeted by an email claiming to be from a trusted source but is actually seeking to acquire sensitive information or inject malware into the victim’s systems.

Phishing is a type of social engineering attack, a term describing the psychological manipulation of someone into doing or revealing certain things. 

These attack methods are usually quite popular among hackers, as they can be set up with relative ease and rely on human error. Humans are notoriously easier to trick than breaking through system or network defences. 

It’s no surprise then that 83% of cyber attacks are phishing related

Phishing attempts are getting more and more sophisticated, and when you consider that the recipient will often be a busy employee trying to handle lots of different things at once, it’s understandable that so many manage to get duped by these sneaky emails. 

Hackers are well versed in convincingly disguising themselves as a company or individual you would normally trust, particularly when they already have certain pieces of information about you.

In 2020, the top companies phishing emails came from included PayPal, Microsoft and Facebook - these are brands we use every day so we’re not likely to be suspicious at first when an email comes in that appears to be dressed up in all the right ways. 

The threat has become even more severe in the last couple over the course of the Pandemic with the rise of remote working. Email scams rose by a massive 220% during this period. 

This is probably down to a few different reasons. When at home in a familiar and comfortable environment, we are likely to be even less vigilant, perhaps even using work devices for personal use, increasing the cyber risk further. Without corporate visibility and control over every employee’s activities, it becomes largely the responsibility of the individual to be extra scrupulous when it comes to email communications. 

There isn’t the luxury of turning to the person next to you in the office to get a second opinion, so without being given proper cyber security training, it is very probable that an employee clicks on or responds to a phishing email.  

 

So how do you spot a phishing email?

Of course, if you look a little closer, there are some tell-tale signs of a phishing email and definitely best practices to adhere to if you want to do your part as an employee of a business.

Often, there will be issues with sender names, emails or domains. Even if just one character is changed, it can look perfectly normal scanned over, but remember to look a little harder if it’s not an email you were expecting. 

Hackers aren’t the best spellers, so any mistakes in the email copy could point to something suspicious. Further to this, if the words sound urgent and are asking you to do something, take a second and double-check with the company or individual the email is purporting to be from. 

This is particularly relevant in cases of business email compromise, where the email may genuinely have been sent from your colleague or boss’ account, but it is actually a hacker who has gained access. 

It can feel unusual to question a colleague’s email request, particularly if it’s someone above you, but if they are asking for sensitive information or the transfer of funds, it’s always best to be sure. 

 

Vishing

Vishing is an abbreviated term for ‘Voice Phishing’.

You got it, phone calls or voice messages with similar intentions to phishing - tricking someone into handing over certain information or funds. No, whoever coined the term ‘Vishing’ was not particularly creative. 

Phone fraud has been extremely lucrative in the past for hackers; an increase in vishing attacks in 2014 cost UK consumers around £23.9m.

Just like with phishing emails, phone scammers will often call up claiming to be from a legitimate company. They may claim to be a bank accusing you of fraud and telling you that you need to give them your details to clear it. 

When it’s a phone call, it can be even more stressful for the person on the receiving end, especially if they’re being told they’ve done something wrong. In moments of heightened emotion like that, however, we’re even more likely to make mistakes - this is what the scammer is hoping for. 

 

How do vishing hackers get my number?

Picture it. You get a strange call in the middle of the afternoon from someone claiming your computer needs additional software installed or it’s going to be vulnerable. 

Hopefully, you cotton on that this isn’t actually a well-meaning dogooder and they’re probably trying to get you to install malware onto your systems, but you’ll still furiously put down the phone wondering, ‘how did they even get my number?!’.

Well, hackers can find phone numbers in a variety of ways but the best place to hunt for data is the Dark Web. An absolute treasure trove of data, hackers can grab all kinds of personal information, including phone numbers. 

 

Common scams and how to spot them

Typical vishing scams will involve a hacker claiming to be from somewhere like your bank or HMRC, usually telling you there’s an issue with your account or tax returns. They might need you to prove your account by providing login credentials, but this should always be the first red flag. 

Some may even offer some information they already have on you to show they are legit, but you shouldn’t let this fool you either. If you requested contact from these people and they ask you for personal information, always hang up and check the situation out yourself. 

 

Smishing

Last on the list - smishing. When a text message, or SMS, is sent to someone requesting personal or financial information this is known as smishing. 

With over 55.5m people owning smartphones in the UK, it’s unsurprising that this is a popular entry point for hackers and scammers. It’s often easier for a hacker to find phone numbers than emails too which is why smishing attacks are rising - we saw a 700% increase of smishing reports in the first half of 2021 alone.

While most people are aware of the dangers of phishing emails and usually know what to look out for, it doesn’t tend to be expected as much on your phone, so it can be easier to miss the signs. If you consider how many mobile phone users are often on the go and in a rush, you can see how easy it must be for someone to click on a fraudulent text when it comes in before you’ve even had a chance to think. 

Just like with phishing, hackers targeting your mobile device may be looking to get you to install malware or take your personal data by getting you to input information on a fake site feeding it right back to the hacker. 

As more and more business employees use their own mobile devices at work, smishing can be as much a business threat as it is to an individual consumer, so it is important to know how to spot it and what to do about it. 

 

Protecting against smishing attacks

Generally, if you don’t recognise the sender of a text, you should never be replying to it. Banks should never request information over text or tell you to update account details. If there’s a link, it’s likely to be fraudulent and you should directly contact your bank to alert them. 

If you think you’ve responded to a smishing text or provided personal details, contact your bank to let them know. You can also forward any suspicious messages to your phone provider using the shortcode 7726 so the message’s origin can be investigated. 

Many people also choose to make their phone number unlisted, to make it harder for hackers to get hold of it in the first place.

The majority of cyber attacks are successful because they use social trickery, often playing with emotions, to catch someone out, and phishing, smishing and vishing are perfect examples of this. The best way to stay safe is to be aware of these different kinds of attacks, particularly as they evolve, and know how to respond to them properly. 

The most effective response is to simply ignore anything that doesn’t quite sit right and always avoid handing over any personal information until you have officially confirmed the legitimacy of that contact.

 

So..

Whether it’s phishing, vishing, or smishing, stay sceptical and take time to fully assess the situation before you act.