How do phone and text scams work?
Phishing phone calls ('vishing') and scam texts ('smishing') are common attacks, designed to trick targets into divulging personal information that can be used for theft or fraud. Both vishing and smishing are cheap, and require little technical knowledge.
Many vishing campaigns are high volume, using auto-dial and broadband calling to contact thousands of potential victims per hour. They try to drive fear-based responses: for example, a spurious bank call-back service which pretends to alert the victim to bank account fraud, then requests detailed card information on response.
Then targeting organisations, attackers often impersonate a senior employee requiring urgent assistance. They may pretend to be in a rush, in an attempt to take control of the conversation.
Smishing has begun to overtake vishing in popularity. With many victims still unused to receiving spam texts – and the growth of text banking – it currently enjoys a higher success rate.
Smishing texts typically request urgent action, which often means clicking on a malicious link that in turn enables data theft. Spam filters stop many phishing emails from reaching inboxes, but no mainstream solution yet exists to prevent texts from reaching their intended target.
The risks to business
- Data theft (or encryption for ransom)
- Fraudulent internet banking redirection
- Financial theft
- Identity fraud
How can I defend my business against vishing and smishing?
- Raise awareness of the potential impact of vishing/ smishing on your business, and implement a policy for reporting suspected cases.
- Train staff never to share financial or company information with unverified callers.
- Learn to spot suspicious calls and text, and never:
- be rushed into making a quick decision in response to an urgent request.
- provide personal or financial information over the phone.
- use numbers provided by the caller or in the text, in preference to known contact numbers.
- click on a link in a text you were not expecting.
- Where a vishing call is purporting to come from a member of staff, there can be
several give-away signs:
- The caller refers to the organisation by name on a supposedly internal call.
- The call is made to the UK from one country, for information on another.
- The caller instructs the recipient on using internal systems to provide information.