The differences between phishing, smishing and vishing

Phishing, Smishing or Vishing… you joking?

It seems like a more innocent time now, but back in the early Noughties, attacks on domestic technology were largely confined to mischief-making viruses on desktop PCs.

Today, we surf in far more dangerous waters.

Online fraud is at record levels, as criminals seek to exploit our dependence on the internet.

Compromised websites and file attachments harbour malicious software known as malware, designed to monitor keystrokes or identify passwords and login credentials.

Another method of obtaining sensitive personal or financial information involves persuading people to hand it over to confidence tricksters.

If you’ve ever received a fraudulent email claiming to be from a financial institution or reputable company, you’ve been targeted with a phishing attack.

This describes the process whereby criminals use social engineering techniques to trick people into surrendering account details, login credentials or passwords.

In recent years, related terms have been developed for other platform-specific attempts at convincing us to entrust valuable personal data to crooks.

Say hello to the triple-headed horrors known as phishing, smishing and vishing.

So what’s the difference?

Smishing and vishing may sound like a pair of radio DJs, but they’re actually variations of phishing designed for specific hardware.

Smishing takes its name from SMS – the Short Message Service protocol used to send text messages. Believe it or not, texts are still widely used, alongside WhatsApp and Snapchat.

Our phones are practically extension of our arms nowadays, and they’re used for a growing percentage of ecommerce transactions in the UK.

As a result, mobile phones are rich repositories of valuable information – a handy shortcut to your online banking and ecommerce accounts.

Smishing messages encourage people to click on a link, or open an attachment. Doing so will install malware onto the device, providing unfettered access for fraud.

Criminals also prey on greed by promising their victims gift vouchers, competition prizes or compensation/refunds relating to a purchase they might have made recently.

These classic entrapment techniques are regularly used for phishing and vishing, too.

How are smishing and vishing distinguished?

Vishing involves the same social engineering techniques, but conducted over the phone.

Someone might ring up pretending to be from your bank, claiming your card was compromised while withdrawing money from an ATM earlier.

(In reality, someone probably watched you visit the cashpoint and then followed you home or to work, before using social media and/or Google to track down a phone number.)

The caller may offer to collect the card “to avoid further inconvenience”, while asking you to confirm “a few details” like PIN numbers and online banking passcodes.

Handing over the card and related data could give the crooks access to hundreds of pounds every day, until you realise what’s happened and cancel the card.

By then, the damage is done and the thieves will be long gone with their ill-gotten gains.

How to stay safe

These activities all involve fraudsters pretending to be legitimate organisations, requesting immediate action that promises to prevent robbery or fraud – while actually facilitating it.

Phishing, smishing and vishing attacks all rely on rushing people through a process before they have time to reflect on it. Urgency is a recurring theme of these attacks.

Consequently, the first response to any unsolicited inbound communications should be to stall for time, and do a bit of research.

If the enquiry came in by email, copy and paste the subject line into Google to see whether it’s been logged as fraudulent by anti-spam agencies, or by the company being impersonated.

Do the same for smishing messages, manually retyping contents into a search engine. Never click on a link in a suspicious text message.

Alternatively, forward a dubious message onto the firm it’s supposed to be from. Bigger companies tend to have dedicated contact details for reporting possible fraud.

Look for giveaways like mobile numbers purporting to be from a call centre, or odd email addresses (cyclops363@mail.ru) claiming to represent a bank or Government department.

Look for spelling errors, which may suggest the message didn’t originate in this country.

Finally, to guard against vishing attacks, never agree to anything in an inbound phone call.

Ring the company “contacting” you from a different line. The number they rang you on might be compromised, and attempting to dial out will simply reconnect you to the criminals.

Remember reputable institutions will rarely ask for more information than a couple of password characters and your home address – and the latter is hardly a secret…

Leave a Reply

Your email address will not be published. Required fields are marked *