Smishing, quishing and vishing - how bad actors try to ‘phish’ for your sensitive data

When was the last time you received an email from your bank (supposedly) asking you to “update your account details” or else get your account deactivated?

If you even remember to scrutinise the sender’s email address, you may find that it is a fraudulent email address pretending to be your bank’s. If you had fallen for it, you would have given criminals access to your bank account and hard-earned money. You would have been one of the many victims of a phishing attack in recent times.

So, what is phishing, exactly?

Put simply, phishing occurs when cybercriminals “fish” for your data. They do it by getting in touch through emails, text messages and social media, to name just a few ways.

Recently, cybercriminals have come up with more creative and sophisticated ways to phish.   But the underlying principle is simple – use deception to trick you into handing over your personal data – passwords, birthdays, contact information, credit card details.

Impersonate a bank, impersonate your boss, impersonate your friend. Make the message sound urgent. Make it sound like your life (or that of a loved one) depends on you clicking that link.

Cybercriminals have a whole arsenal of tricks up their sleeve. Here are some of the many ways phishing is carried out.

• Email phishing: Impersonate a bank, organisation, or brand and send an email asking to click on a link or download a file. The link is a spoofed website which asks for your data, while the file contains malware or viruses.

• Spear phishing: Similar to email phishing, but more personalised. Criminals research about their targets and send them personalised emails that use familiar language, tricking them into doing whatever the email is telling them to do.

• Whaling / CEO Fraud: Similar to spear phishing, but makes the email appear like it came from a top executive at a company. It is often used to trick other executives into releasing money or sensitive data.

• Man in the middle: Email phishing that tricks two people into thinking that they are talking to each other, when the attacker is the one sending the emails, hoping that some sensitive information will be released.

• Clone phishing: Appears like a re-sent email. A replica of a legitimate email is sent to you, but with fake email addresses, links, and attachments which resemble the real ones.

• Smishing: Phishing through SMS and other text messaging. Upon clicking on the link sent through text, malware is installed on your device.

• Vishing: Phishing through voice message or phone call. Criminals impersonate a credible agency and ask for your social security number or other sensitive data, perhaps to “verify your identity”. This has recently included video calls as well.

• Angler phishing / Social media phishing:  Phishing through social media. Notifications and direct messages are used to get you to click on a malicious link. Criminals may send a friend request, impersonating someone you know or a brand you trust.

• Search engine phishing: Phishing through websites that appear in your search results. These websites pose as shopping sites offering cheap products. You will then be asked to create an account to complete your purchase, thus giving away your personal information.

• Quishing: Phishing through QR codes. Scanning the QR code will direct you to a malicious site, install malware, or open illegal access to your account. Since email services like Google are learning to filter out phishing emails, criminals turn to QR.

• Pop-up phishing / Malvertising: Phishing through pop-ups, or pop-up notification requests.  The link on the pop-up or ad is a malicious link. Sometimes, choosing to “allow pop-up notifications” from a site already installs a malicious code.

• Evil twin phishing: Phishing by impersonating a Wi-Fi network. Once you connect to the lookalike Wi-Fi network, you will be redirected to a malicious site that asks for your personal information.

• Pharming: Phishing by hijacking the DNS server. When the DNS server is hacked, typing a website address in your browser will lead you to a malicious lookalike site instead of the legitimate one. You will then unsuspectingly login, giving away your login credentials.

To view the full infographic, click this link: https://www.dpexnetwork.org/research/infographics-many-hooks-phishing

Fighting phishing, a DPO’s perspective

Phishing attacks are becoming more widespread and sophisticated that it is easy to fall for their tricks. With the new work from home setting driven by the pandemic, the risks are even greater.

Ng Quan Cheng, an IT and InfoSecurity Manager with Straits Interactive, who also serves as its data protection officer, says that organisations need to come up with new strategies that cover employees’ home network infrastructure, to mitigate the risks of phishing and other cyber attacks.

“The threat level of cyber threats now is very real and poses a very high risk to organisations, especially with COVID-19 driving the trend for work-from-home,” he adds. “Additional measures must also be taken for employees who handle personal identifiable information (PII) and other sensitive data, to minimise the organisation’s risk of a data breach.”

As such, awareness is always the first step towards better protecting one’s important personal information. Keep your important information safe by being familiar with cybercriminals’ tricks and learning to spot phishing attacks – and make sure everyone in your organisation is aware too.

We also offer a course on Information & Cyber Security for Managers where we discuss the subject from a hands-on and management perspective, complete with industry examples and numerous case studies.

You may also check out other courses on data protection and cybersecurity here: https://www.dpexnetwork.org/courses