Vishing: Phishing over the phone
Vishing stands for “voice phishing” and it entails the use of the phone. Typically, the victim receives a call with a voice message disguised as a communication from a financial institution. For instance, the message might ask the recipient to call a number and enter their account information or PIN for security or other official purposes. However, the phone number rings straight to the attacker via a voice-over-IP service.
In a sophisticated vishing scam in 2019, criminals called victims pretending to be Apple tech support and providing users with a number to call to resolve the “security problem.” Like the old Windows tech support scam, this scams took advantage of user fears of their devices getting hacked.
Smishing: Phishing via text message
Smishing, a portmanteau of “phishing” and “SMS,” the latter being the protocol used by most phone text messaging services, is a cyberattack that uses misleading text messages to deceive victims. The goal is to trick you into believing that a message has arrived from a trusted person or organization, and then convincing you to take action that gives the attacker exploitable information (like bank account login credentials, for example) or access to your mobile device.
Smishing is on the rise because people are more likely to read and respond to text messages than email: 98% of text messages are read and 45% are responded to, while the equivalent numbers for email are 20% and 6%, respectively.And users are often less watchful for suspicious messages on their phones than on their computers, and their personal devices generally lack the type of security available on corporate PCs.
Snowshoeing: Spreading poisonous messages
Snowshoeing, or “hit-and-run” spam, requires attackers to push out messages via multiple domains and IP addresses. Each IP address sends out a low volume of messages, so reputation- or volume-based spam filtering technologies can’t recognize and block malicious messages right away. Some of the messages make it to the email inboxes before the filters learn to block them.
Hailstorm campaigns work the same as snowshoe, except the messages are sent out over an extremely short time span. Some hailstorm attacks end just as the anti-spam tools catch on and update the filters to block future messages, but the attackers have already moved on to the next campaign.
Learn to recognize different types of phishing
Users aren’t good at understanding the impact of falling for a phishing attack. A reasonably savvy user may be able to assess the risk of clicking on a link in an email, as that could result in a malware download or follow-up scam messages asking for money. However, a naive user may think nothing would happen, or wind up with spam advertisements and pop-ups. Only the most-savvy users can estimate the potential damage from credential theft and account compromise. This risk assessment gap makes it harder for users to grasp the seriousness of recognizing malicious messages.
Organizations need to consider existing internal awareness campaigns and make sure employees are given the tools to recognize different types of attacks. Organizations also need to beef up security defenses, because some of the traditional email security tools—such as spam filters—are not enough defense against some phishing types.
Editor’s note: This article, originally published on January 14, 2019, has been updated to reflect recent trends.