Smishing and vishing are two types of phishing attacks, sometimes called “social engineering attacks.” While 96% of phishing attacks arrive via email, hackers can also use social media channels. Regardless of how the attack is delivered, the message will appear to come from a trusted sender and may ask the recipient to:
- Follow a link, either to download a file or to submit personal information
- Reply to the message with personal or sensitive information
- Carry out an action such as purchasing vouchers or transferring funds
Types of phishing include spear-phishing, where specific individuals are targeted by name, and whaling, where senior leadership is the primary target. All these hallmarks of phishing can also be present in smishing and vishing attacks.
Smishing — or “SMS phishing” — is phishing via SMS (text messages). The victim of a smishing attack receives a text message, supposedly from a trusted source, that aims to solicit their personal information. These messages often contain a link (generally a shortened URL) and, like other phishing attacks, they’ll encourage the recipient to take some “urgent” action, like claiming a prize, tax refund, or locking their online bank account.
Cybercriminals are using increasingly sophisticated methods to make their messages as believable as possible. That’s why thousands of people fall for smishing scams every year. In fact, according to a study carried out by Lloyds TSB, participants were shown 20 emails and texts, half of which were inauthentic. Only 18% of participants correctly identified all of the fakes. Just like a phishing attack via email, a smishing message will generally convey a sense of urgency, contain a link, and request personal information. Other clues that a message might be from a hacker include the phone number or email it comes from and may contain typos. Large institutions like banks will generally send text messages from short-code numbers, while smishing texts often come from “regular” mobile numbers.
Like targets of other types of phishing attacks, the victim of a vishing attack will receive a phone call (or a voicemail) from a scammer, pretending to be a trusted person who’s attempting to elicit personal information such as credit card or login details.
A vishing scam often starts with an automated message, telling the recipient that they are the victim of identity fraud. The message requests that the recipient calls a specific number. When doing so, they are asked to disclose personal information. For nonprofits, hackers then may use the information themselves to gain access to your database and steal private data from your wealthier donors.
In a study carried out by Lloyds TSB, participants were shown 20 emails and texts, half of which were inauthentic. Only 18% of participants correctly identified all of the fakes.
Vishing attacks share many of the same hallmarks as smishing attacks. In addition to these indicators, we can categorize vishing attacks according to the person the attacker is impersonating:
- Businesses or charities — Such scam calls may inform you that you have won a prize, present you with you an investment opportunity, or attempt to elicit a charitable donation themselves. If it sounds too good to be true, it probably is.
- Banks — Banking phone scams will usually incite alarm by informing you about suspicious activity on your account. Always remember that banks will never ask you to confirm your full card number over the phone.
- Government institutions — These calls may claim that you are owed a tax refund or required to pay a fine. They may even threaten legal action if you do not respond.
- Tech support — Posing as an IT technician, an attacker may claim your computer is infected with a virus. You may be asked to download software (which will usually be some form of malware or spyware) or allow the attacker to take remote control of your computer.
While individuals can find resources online, nonprofits should be providing all employees with IT security training. Training can help ensure all employees are familiar with the common signs of smishing and vishing attacks which could reduce the possibility that they will fall victim to such an attack.
However, the best thing you can do for your employees and your organization is to take a free vulnerability test and learn how you can better protect your donor data before it's too late.