Phishing, smishing and vishing: what do they mean and how to protect yourself
By Ginger Hill
Updated Wed September 4, 2019
I have a special affinity toward cybersecurity, probably because I've witnessed it grow from not even being a word, much less a concept to indoctrinating itself into society on a second by second basis. People must be alert, knowledgeable and actionable in order to stay safe from cybercriminals, and thankfully, there are various organizations available to help.
During August, I attended the National Cyber Security Alliance and Infosec webinar that explored the cyber threats phishing, smishing and vishing, and offered steps of protection. Daniel Eliot, director of education and strategic initiatives, National Cyber Security Alliance moderated as Tiffany Schoenike, chief operating officer, National Cyber Security Alliance and Lisa Plaggemier, chief evangelist, Infosec took center stage.
“At their core, phish are just tools criminals use for social engineering, which is the use of deception to manipulate individuals into doing something they wouldn't normally,” Plaggemier explained during the webinar. “Thieves are generally after two things: money and things they can turn into money, and over three billion phishes are sent every single day” to try and gain access to private information, engage with people to develop trust, present links that download malware when clicked, modify data, etc.
Here's some common types of phish you need to know about:
- Spear phishing: a targeted attack that usually involves cybercriminals gathering intel to use to send emails that appear to be from a known or trusted sender.
- Whaling: attacks that target senior-level employees.
- Credential harvesting: an attack that allows unauthorized access to usernames and/or emails with corresponding passwords.
To identify phishes, Plaggemier said to look for things such as spoofed sender addresses that may be off by a letter or two; misspelled words and bad grammar; strange URLs; the use of scare tactics; buzzwords such as cool job offers and last but not least, use your own senses. If you feel something isn't right, you're probably correct.
With smishing, the cybercriminal uses text or SMS messaging to try and trick people into giving out private information while vishing uses the phone via a call.
To protect yourself and your organization against phishing, smishing and vishing, consider the following:
- Enable strong authentication.
- Think before you share personal information.
- Never give personal information over the phone.
- Use unique and the longest passphrases possible as passwords
- Keep your computer system and smartphone's software updated.
- Only download apps from trusted sources.
- Train employees.
- Establish, maintain, use and enforce policies and procedures.
- Report all phishing incidents to DHS Cybersecurity and Infrastructure Security Agency and the Federal Trade Commission.
For more information on how small and medium-sized businesses can be safer and more secure online, visit National Cyber Security Alliance's national program, CyberSecure My Business, which consists of in-person, interactive workshops, monthly webinars, an online portal of resources and monthly newsletters that summarize the latest cybersecurity news.
Comments