Phishing, vishing and smishing may sound like characters out of the holiday classic, “How The Grinch Stole Christmas.” They are clever digital attacks that bad actors have created to potentially ruin your clients’ holidays. Take the time to educate your clients on what they are and how to avoid them.
Mobile Phishing
Most holiday shoppers are squeezing their gift buying in between company meetings and school drop-offs. And they can’t beat the convenience of using their smartphones to make purchases. However, cybercriminals are busy creating and sending fraudulent text messages to your clients These messages appear to come from retailers they are familiar with. They typically contain a link that, once clicked, redirects to a fraudulent website that looks like the retailer’s legitimate site but is designed to extract your clients’ personally identifiable information (PII). Malicious apps, particularly for Android devices, can also be used to skim financial data and credentials.
Vishing and Smishing
With vishing, cybercriminals contact your clients via phone calls to solicit PII. They rely on social engineering such as an urgent message about your clients’ recent Amazon order to trick them into providing valuable information such as login credentials or bank account information. These criminals rely on fear, uncertainty and doubt to successfully deploy these attacks. For example, they may send your clients a voicemail message stating, “URGENT: Your bank account has been locked due to suspicious activity. Call us back immediately to restore access.” When your client calls the phone number on the voicemail, they are asked to provide sensitive information that is then stolen and used to gain access to bank accounts and other valuable assets.
Smishing works in a similar fashion only via text messages. For example, your client may receive a text message saying, “Your FedEx package with tracking code GB-6412-GH83 is waiting for you to set delivery preferences” and include a link. Once your client clicks on the link, the hackers gain access to their sensitive information. Keep in mind that smishing attackers often use messages that your clients might be expecting.
A new method that the FortiGuard Labs team is tracking is instances of hackers adding a QR code on popular products, and leaving promotional signs or banners with these codes on them at physical stores. If your client sees a product they like, and a sign telling them they can get the product faster or at a discounted price, they are more than likely to scan the QR code. This can lead them to a scam website or attempts to download malware.
3 Ways to Protect Yourself from Phishing, Vishing and Smishing
Being vigilant and carefully examining the phone calls and text messages you receive before responding to them can go a long way in protecting yourself from digital attacks. Here are three other ways to protect yourself:
- Financial institutions will never send a text asking for credentials or asking you to transfer money. Do not ever send credit card numbers, ATM PINs or banking information to someone via text messages.
- Messages received from a number with only a few digits probably came from an email address, which is a sign of spam.
- Banking information stored on the smartphone is a target for attackers. Avoid storing this information on a mobile device. Should an attacker install malware on the smartphone, this banking information could be compromised.
Find out more about how Fortinet’s Training Advancement Agenda (TAA) and NSE Training Institute programs, including the Certification Program, Security Academy Program and Veterans Program, are helping to solve the cyber skills gap and prepare the cybersecurity workforce of tomorrow.