Teach Your Employees Well: How to Spot Smishing & Vishing Scams

Text messaging is by far the most responsive way to communicate remotely: People frequently ignore phone calls and emails, but 98% of text messages are read and 45% get a response, according to Gartner.

The trouble is, text messaging – or SMS, for short message service – can leave companies wide open to social engineering attacks, referred to as "smishing." The threat has become exacerbated amid a largely remote workforce that has turned to platforms including Slack, Skype, WhatsApp, and iMessage to reach each other quickly.

"SMS is the absolute worst protocol to use for communications," says April Wright, a security consultant at ArchitectSecurity.org. "It is widely supported, which is why it is still in use, but it provides zero encryption or authenticity validation of the sender or receiver." 

The heightened popularity of text-based communications is the very thing that makes it susceptible to smishing, where texts that seemingly come from trusted sources include, for example, downloadable malware or links to phony websites. Such was the case in a September campaign in which scammers posed as the United States Parcel Service, as well as a February campaign in which messages seemingly came from Federal Express.

Vishing is similar to smishing except criminals use voice technologies – the telephone – to, for example, dupe people into providing bits of personal data. And both are related to phishing, which includes email and impacts more than 90% of organizations, according to security vendor Proofpoint. It's expensive, too: The average cost of a data breach averages $3.86 million, according to IBM.

How can you protect your organization? Tools can help, but teaching employees not to fall for these scams in the first place may be the best prevention strategy of them all.

How to Prevent Employees From Falling Victim
To guard against smishing attacks, in particular, security teams can encourage employees to ignore messages from unknown people or businesses, to be suspicious of "urgent" texts, and to use caution when clicking on links within text messages.

"With both smishing and vishing, the source may have some information that makes them seem credible – names of co-workers, a boss' name, phone numbers, department names, etc. These are the seemingly trivial information they have gained via intelligence gathering, [smishing], phishing, or vishing," Wright says. "The most important thing we can do is verify."

But often text and voicemail messages appear to be coming from a credible source. Employees need to be made aware that criminals trying to elicit information may pretend to be: 

Cyber Curriculum
Once employees understand the "who," here are three tips to keep them alert to potential scams:

1. Big picture: Cyberattackers leverage the way people typically respond to certain social situations to trick them into disclosing sensitive information about themselves, their businesses, or their computer systems. Even the smallest amount of data can be useful to hackers who are trying to complete a profile that will enable them to get access to credit, banking, and other sensitive information. So the first line of defense is to train employees to recognize their telltale but often subtle signs, as well as how their information can be used in a social engineering attack.

2. Link-leery: SMS malware usually initiates from a text message containing a URL. Training staff to perform a quick online search to find a web address and then type it into the address bar manually, rather than just clicking on the link sent, may save a world of hurt later. Some links appear to be for legitimate apps, but once downloaded, employees realize their passwords and other credentials have been stolen.

Other links are a vector for ransomware, forcing users to pay to decrypt their phones. Further, SMS malware often ransacks the victim's contacts list, enabling it to spread to each of those addresses. It's clear to see how this could go on to affect an entire organization.

3. Listen up: Vishing can be more difficult to detect because people tend to believe that a voice is more trusted than an email, according to Wright. Attackers use ID spoofing, which is similar to email spoofing in that both make it appear as if the communication is coming from a trusted source. To combat this form of social engineering, instruct employees to tell a caller they will return their call. Then have them look up the main office of the company the caller is claiming to represent, call that number, and ask to speak with the caller who is making the request of your employee.

"If they cannot talk on the phone, it is suspicious. If they become argumentative or threatening, it is suspicious," Wright says. "If someone asks you to bypass a process or control, it is very suspicious. Report any type of suspicious activity to your manager and security team immediately."

Eyes and Ears Wide Open
Suffice to say, a bit of skepticism goes a long way as well.

"We need to realize that not everyone is good and be on the lookout for questions people don't normally ask, for that feeling when 'something isn't right,'" Wright says. "That feeling has kept humans alive and safe for hundreds of thousands of years, and we should listen to it. It's there to alert us to danger."

In fact, Wright wouldn't be said to see SMS disappear altogether.

"SMS as a technology is almost 40 years old," she says. "I strongly believe that SMS, along with email, should be abandoned for more modern, secure solutions."