Personal data has become one of the most valuable and sought after currencies. We deal in it and trade it without thinking, each and every day, opening ourselves and our inner-data sanctums to potential attackers who would use that information against us. Spotting phishing attempts has become de rigueur for most Internet users. If you’ve ever signed up to anything online, there is a good chance your full name, home address, email address and phone number have also changed hands. Armed with this, scammers can attempt to exploit you.
We like to think we are too clever to be tricked by the obvious scams. That our knowledge of how common phishing scams are pulled off makes us superior to old Mrs. Bethel down the road, who couldn’t spot a “Nigerian Princess” from a mocked-up PayPal Invoice. It might even be somewhat true. But the fraudsters don’t rest, and as we have seen with the growth in Vishing and Smishing exploits, they are happy to utilize new attack vectors to exploit your trust.
What should you be looking out for? How will you know a vishing or smishing attempt when it arrives? And are you likely to be a target?
Let’s take a look.
What Are These New Techniques?
Phishing attempts usually come through email or instant messaging. The victim receives an email or instant message with a spoofed sender field, containing a message requiring an instant response. The fraudulent email or instant message contains a link directing the victim to a fake website where they usually enter a personal piece of information, such as a password, their work login credentials, or other identifying information.
While phishing existed long before the Internet, our capacity to engage with social media, connect with people through email, and generally place trust in online systems we don’t fully understand (including banking) has curated a golden period for would-be scammers. Their Midas touch continues with the “introduction” of vishing and smishing exploits.
Voice phishing, referred to as Vishing, is a common electronic fraud technique seeing an increase in usage. It largely relies on the victim’s tendency to place trust in the sanctity of a landline versus other communication platforms, such as their mobile phone, or email.
— Social-Engineer, Inc (@SocEngineerInc) April 12, 2016
A vishing attack usually has a primary goal of extracting banking details, or other important personal information from the victim, and are usually completed by automated dialing and voice synthesizing equipment. However, there are increasing reports of human operators pressing their victims to part with their details. Vishing attacks are usually very difficult to trace, even more so with the advent of extremely cheap Voice-over-IP (VoIP) services and automated services.
— Social-Engineer, Inc (@SocEngineerInc) April 13, 2016
One common attack technique involves the victim simply answering the attackers call. They then hear the spiel the scammer has decided to use, usually involving an immediately actionable request involving their credit card, or unusual banking activity. The victim is then provided with a spoofed phone number to call.
One of two things now occur. Either:
- The victim will be met with an automated voice system requiring the victim to enter their credit card, debit card, or other banking details, along with their PIN numbers and other personal identifiers, or
- When the victim initially hangs up the phone to make a call to their bank, the fraudster does not. This keeps the line open and connected to the fraudster. The victim may then hear a spoofed dialing tone, followed by the scammer “answering” the phone. They then act as a bank official, requesting details from the victim for later use, or to funnel funds from one account into a new, “secure” account.
Depending on the scam and the bank, victims may recover some of their lost funds, but this by no means guaranteed. Some banks, however heartless it may appear to be, reject claims of this nature as the victim has acted with “gross negligence” by not assuring their own banking security.
“HSBC has refused to refund the money, arguing that the couple’s real bank cards (not a clone) and the correct pins were used and that, therefore, they have breached the bank’s terms and conditions and were grossly negligent.”
And while the above instance applies to lost and stolen bank cards, monetary loss through vishing fraud is still a legal gray area, with the banks arguing that some of the liability must be placed upon the victim to actively protect their own interests, despite concerted efforts by scammers.
“SMiShing”, the portmanteau of SMS and phishing, is the act of using SMS messaging to defraud an individual. Smishing techniques are relatively analogous to phishing and vishing. The victim receives a text message purporting to be from a reliable, trustworthy source.
The SMS usually contains a similar message, too, with attackers posing as banking administrators or officials to deliver a warning of a compromised credit or debit card, an account, or an identity. The victim is then encouraged to follow the compromised link or phone number included in the message, where the victim reveals the specified information to the fraudsters.
— Northants Fraud (@NorthantsFraud) April 27, 2016
SMS phishing victims are not always exposed by a banking scam, as you can see in the above Tweet. That is a sample of the Smishing campaign currently underway, taken from my home-town. Similarly, in 2012 a large number of US citizens received an SMS containing text along the lines of:
“Dear Walmart shopper, Congratulations you have just won a $1000 Walmart Gift Card. Click here to claim your gift. www.fraudulentwebsiteaddress.com (cancel: STOP)”
This scam used Walmart’s popularity to lure victims into clicking the link, where they were then asked a series of personally identifying questions, culminating in a straight-up request for credit or debit card details.
Personal details aren’t always the primary goal. Some smishing campaigns focus on installing malware on the victim’s phone for a sustained data collection attack, preferring to gather more information over a longer period of time, while the victim remains painfully unaware.
Don’t Get Caught Out
As devious and deceitful the scammers are, you can arm yourself with a handful of mitigation tactics. They are all ridiculously easy to remember and will definitely save you time, money, and heaps of wasted energy. Almost all apply to any form of phishing you might encounter.
- Check and double check the number of the caller, or source of the instant or text message. The number may have been spoofed to look like an official source.
- Even if the number looks legitimate, when you’re requested to call a number back, always use a different phone line. This avoids “no hang-up” scams. Use a number from a recent bank statement, or look up the main customer service number for your bank online.
- Never give anyone your banking information over the phone, no matter how insistent they are. Your bank will not ask you for any identifying details, especially not PIN numbers, the security numbers on the back of card, or even your expiry date.
- Never transfer money into another account at the behest of a random caller. Your bank will never ask you to do this. Similarly, they will not send a courier to your house to collect your checking book. No official institution will do this, unless perhaps you are being arrested at the behest of the IRS.
- Be extremely wary of unsolicited texts from your bank or another trusted name. Unless you have previously agreed with your bank that SMS contact is okay, it won’t happen.
- Be similarly wary of any links included in any SMS message. Shortened links could take you anywhere, and there is little way of knowing what will happen once that link is tapped or clicked.
Most of all, be vigilant. If you are unsure, simply hang up. If it is an unsolicited text, ignore it. Vishing and smishing social engineering techniques rely on the same abuse of trust as phishing. Even while I was writing this article, I received this email:
Now, I know the email address is spoofed. Why? Because there are only two people with email addresses at that URL, and one of them is mine. The attachment is also a total giveaway.
Technology will never offer the 100% deterrent we would like. Neither will it detect the scammers 100% of the time. Technology can offer you an excellent starting point, but as with almost everything in life, unless you commit your own due diligence and attempt to think critically about incoming communications, you’re setting yourself up for a really bad time.
Have you been victim to a vishing or smishing scam? Did you realize immediately, or only when your accounts were compromised? Do you know what to look for now? Let us know below!