Information Technology & Innovation

Whaling, SMiShing, and Vishing…Oh My!

You’re probably familiar with “phishing”, but are you aware of the other types of “ishing”?!

 

Cybercriminals use types of social engineering—manipulating people into doing what they want—as the most common way to steal information and money. Social engineering is at the heart of all types of phishing attacks—those conducted via email, SMS (Short Message Service—i.e., text), and phone calls. Technology makes these sorts of attacks easy and very low risk for the attacker.

Make sure you’re on the lookout for these variants on the traditional, mass emailed phishing attack:

 

  • Spear phishing: This kind of attack involves often very well-crafted messages that come from what looks like a trusted VIP source, often in a hurry, targeting those who can conduct financial transactions on behalf of your organization (sometimes called “whaling”).

 

  • SMiShing: Literally, phishing attacks via SMS (Short Message Service—i.e., text), these scams attempt to trick users into supplying content or clicking on links in SMS messages on their mobile devices. Flaws in how caller ID and phone number verification work make this an increasingly popular attack that is hard to stop.

 

  • Vishing: Voice phishing, these are calls from attackers claiming to be government agencies such as the IRS, software vendors like Microsoft, or services offering to help with benefits or credit card rates. Attackers will often appear to be calling from a local number close to yours. As with SMiShing, flaws in how caller ID and phone number verification work make this a dangerous attack vector.

 

No matter the medium, follow these techniques to help prevent getting tricked by these social engineering attacks:

 

  • Don’t react to scare tactics: All of these attacks depend on scaring the recipient, such as with a lawsuit, that their computer is full of viruses, or that they might miss out on a chance at a great interest rate. Don’t fall for it!

 

  • Verify contacts independently: Financial transactions should always follow a defined set of procedures, which includes a way to verify legitimacy outside email or an inbound phone call. Legitimate companies and service providers will give you a real business address and a way for you to contact them back, which you can independently verify on a company website, support line, etc. Don’t trust people who contact you out of the blue claiming to represent your company.

 

  • Know the signs: Does the message/phone call start with a vague information, a generic company name like “card services,” an urgent request, and/or an offer that seems impossibly good? Hang up or click that delete button!

 

Check out these quick informative videos:

 

  • HEISC Information Security Awareness Training Video:
    “Phishing: E-Safe” (1.02 minutes):
    https://www.youtube.com/watch?v=rwgp3WqYmrw (published on YouTube, 8/27/2013, by HEISC, the Higher Education Information Security Council)

 

 

Read these articles (you may want to print it and post it by your phone in the office or at home!):

 

 

Or post these quick tips as reminders (next to your phone in the office or at home):

 

  • Microsoft won’t call about your computer, the IRS won’t call about their case, and Rachel from card services won’t get you a better rate!
  • Would you trust someone at random on the street? Why would you trust someone who randomly emails, texts, or calls you?
  • Phone calls and texts are as easy to spoof as email. If it sounds too good to be true, or if it’s really scary, it’s probably a scam.
  • Remember: phishing is a social engineering scam and it’s not just for email! You can get phished by phone or text message too.

 

  • Be mindful of full e-mail address. Don’t fall for the “looks kind of like someone I know” fake addresses! Display names (First & Last name) are user supplied and can show anything the sender wants.

 

  • Be aware of the official e-mail address of your contacts and be suspicious if what they ask of you is unusual or they attempt to contact you from a different e-mail address.

 

Check out this SANS Security Awareness OUCH! Newsletter (and/or subscribe to OUCH! and receive the latest security tips in your email every month):

 

 

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Sent from the CSCU Information Security Program Office

https://supportcenter.ct.edu/Service/ISPOSecurityAwareness.asp

Resources taken from:

EDUCAUSE Higher Education Information Security Council (HEISC) Awareness Campaigns, EDUCAUSE Review, and NCSAM (National Cyber Security Awareness Month—a collaborative effort of the National Cyber Security Alliance & the U.S. Department of Homeland Security). Adapted from the EDUCAUSE Campus Security Awareness Blog: April 2019: Whaling, SMiShing, and Vishing…Oh My! by Eric Weakland, used under Creative Commons by NC-SA 4.0 International License/slightly modified format and added italicized text for introductions and explanations.

 

YouTube | HEISC Higher Education Information Security Council

 

YouTube | FCC Federal Communications Commission fccdotgovvideo

 

FTC Federal Trade Commission | Consumer Information

 

SANS Security Awareness OUCH! Newsletters