Smishing & Vishing Prevention in 2019


One look at the title and you may think that spellcheck failed when writing this article, however smishing (or SMiShing) and vishing attacks are the real deal, and according to a recent study nearly 50% of organizations report having experienced a vishing or smishing attack last year.


SMiShing, short for SMS phishing, is a variant of phishing scams which utilizes SMS services to download malicious software onto a user’s smartphone or other mobile device. Vishing, also a portmanteau of phishing, is a voice based method of tricking a user into surrendering sensitive information for financial gain or other ill-intentioned motive. Both of these phishing variants deserve your immediate attention.


Reports show that phishing schemes may have surpassed ransomeware as a cyber security concern for businesses as we dive deeper into 2019. This is due in part to the successes of more advanced cyber security (using AI and machine learning) which get in the way of “traditional” malware/ransomware. Cyber criminals evolve just as fast as cyber security and thus are concentrating their attention to people over technology, and catching them where they may least expect it. In order to prepare your company for what’s to come, please keep reading.


How to Protect Your Business from SMiShing and Vishing Attacks


A. How to Prevent SMiShing


i) Staff Education


In the aforementioned report, more than half of the respondents reported that they do not know what SMiShing is. How can you expect your staff to be diligent in attack awareness when they don’t know exactly what to look for? You will need to train them on SMiShing identification and prevention.


The same rules that apply to this email phishing prevention plan apply to SMS, however staff education needs to be taken a step further. For one, they need to understand that even if they know not to click on an SMS delivered link, they must also not reply via text or call, which means avoiding a cheeky response to let phishers know “I’m on to you” because that is still a win for the cyber criminal. Even if the text message says “text ‘stop’ to stop receiving messages,” staff should never reply because it ends up validating the number’s existence and you can expect many more SMiShing attacks to follow. Instead, have them (or IT) block the number outright.


ii) Strict BYOD Policy


It’s easier to manage staff smartphone usage and mobile attack prevention when your company provides devices to employees. However, the risk inflates when you allow bring-your-own-device (BYOD) for the sake of convenience and cost. A recent study found that 85% of enterprises allow employees, partners, contractors, and suppliers to access company data from personal mobile devices. As a result, more than 50% of these businesses reported a rise in mobile security threats in the same year. Clearly you will need to either rethink (where applicable) or tighten up your BYOD policy to prevent SMiShing and all other phishing schemes that can be delivered to a mobile device.


iii) Establish MFA


While multi-factor authentication (MFA) won’t directly matter once a staff member has already opened up their SMS to view a malicious message, having MFA established for all company smartphone (BYOD or otherwise) apps will help prevent cyber crime should the user inadvertently download malware that allows criminals to access apps and data on their phone. So, even if the malware has been installed, MFA will put up a brick wall that stops the criminal activity from progressing to other apps on the device.


iv) Establish a SMiShing Reporting Procedure


A firm procedure must be established for reporting suspected instances of SMiShing or any other form of suspicious SMS messages, which will allow a designated response team to take necessary action. This process is also essential because if an attack has compromised corporate data not only will greater defensive action need to be taken, you may have to report the issue to the Privacy Commissioner of Canada along with potentially impacted parties (customers, clients, suppliers, etc.) as per the recent PIPEDA complicate update.


B. How to Prevent Vishing


i) Staff Education


A much greater number of organizations are unfamiliar with vishing, or voice phishing, with 63% of respondents admitting that they are not aware of the practice. Once again, education is imperative. By training staff on what to watch out for, you will take the most important step towards vishing prevention.


One common tactic, is when cyber criminals email or IM staff, purporting to represent a reputable organization that your company may deal with (i.e. financial institution, vendor, etc.). Especially savvy criminals will have done their homework (via spearphishing) to make their message to staff even more relevant and seemingly trustworthy. The e-mail or SMS may warn users of a security alert and ask them to call a number where an automated attendant awaits, asking them to enter in personal information (i.e. credit card number, SIN, online banking password, etc.). Once this has occurred, the user (now victim) will have provided the data the criminals needs and the line is disconnected. Damage, done.


Let staff know that prompts to call a bogus line may also come through Voice over Internet Protocol (VoIP) and other web-based telephone technology. They may get a call on their smartphone or office landline, with an automated message asking them to take immediate action. Let them know to do nothing without first confirming the validity (or lack thereof) of the communication. Keep reading.


ii) Establish a Vishing Reporting (and Investigation) Procedure


The reason vishing attacks are so successful, is that there is more perceived trust when a message is delivered via voice. When that voice delivers a critical call to action and purports to be from a reputable source that your company depends on for essential operations, the urge to respond is hard to resist. A staff member may feel as if their own department comprised the company in some way and make the return call to clean up the mess before harm befalls the brand. But in doing so, the supposed corrective action results in the same security intrusion staff sought to prevent in the first place.


To make sure this doesn’t happen, establish a stringent reporting procedure. Once staff knows how to identify a potential vishing attack, every instance must be reported to the appropriate party and that party can perform the investigation to determine validity, or otherwise.


If you’re a small business owner however, you can perform you own investigation by using the proven contact information for the financial institution, vendor, and so forth, and inquire about your account with them to see if there is indeed an issue that needs to be addressed. But never use the contact information provided by the suspicious automated voice message. Lastly, you can also write down the number that called, along with the number you were asked to call, and perform an online search of each. There’s a good chance that those numbers will be found on an online database of fraudulent calls. If so, block them right away.

If you have any additional questions about phishing prevention solutions for your company we encourage you to contact Fully Managed Inc today, Learn more about our cyber security solutions here.