Phishing, vishing, SMiShing – Latest social engineering practices


Many people like to think they’ve outgrown scams that say they’ve instantly won a million dollars on the internet. Over the years these scams have become far more sophisticated than the easily recognizable; “Earn $20,000 per week at home!” banners littering our sidebars.

According to a threat intelligence report; phishing attempts more than doubled in 2015. An international cybersecurity group found that 12.9% of internet users in Australia fell victim to phishing attacks in the first quarter of this year alone. And with that percentage expected to rise next year; why is Australia such a big target for social engineering attacks?

The answer: because it’s a low risk, high reward cybercrime.

Unlike common hacking methods such as denial of service, malware, or brute-force attacks; social engineering uses psychological manipulation, exploiting the human mind rather than the vulnerabilities within a system. Unfortunately, this isn’t as nuanced as programming malicious code.

In fact, the over-sharing culture pervasive today makes social engineering a breeze. Personal information is ammo for the cunning social engineer; and people who share plenty of sensitive information online are merely painting a huge target on their backs. So whether it’s a quick-witted smooth talker or an informed individual who has studied their victim’s social media profile; social engineering can be performed by anyone in any number of ways.


win-iphoneEven if you’re not familiar with the term, you’ve probably heard about phishing attacks before. Like all social engineering methods, phishers prey on a target’s trust — by masquerading to be a friend, bank teller, celebrity, or government official; and persuade their victims to willingly surrender private information.

This is usually performed with a ‘bait.’ A chance to win items like a free iPhone, for example, is quite a simple yet effective phishing ad. Clicking the ad will redirect gullible contestants to a survey page where they will have to divulge sensitive information to proceed. But the only winner in these surveys are the social engineers who now have access to valuable personal information.

In this day and age however; phishing attacks are becoming increasingly sophisticated. Phishing emails are powerful distributors of trojans, keyloggers, and a slew of other nasty exploits. Just a few months ago, Australian Netflix users were duped by a targeted attack; or spear phishing email, titled “Netflix Membership on Hold.” The email scam informs victims that their membership is inactive and urges them to verify their account information by clicking on the fake link provided.

Both the email and website had the Netflix logo, no typos, online forms — the works. The fake website was especially convincing; it could identify financial institutions based on the credit card numbers and detect incorrect data entry just like you would expect from any legitimate online service. Once the unsuspecting victim filled in the account verification form; the social engineer records login credentials, personal info, and financial details, and then sells it on the dark web.

Sadly, anti-phishing software can only get you so far. Remember, all it takes for a phishing attempt to catch you off guard is by hitting the right emotional triggers at the right time; so remain vigilant at all times. Before entering financial information on a website; look for the ‘s’ in https and a lock symbol on the URL bar. Have a healthy skepticism of all password reset emails, “too good to be true” ads, online surveys, URL links, and email attachments.


ato-scamImage Source:Scamwatch
Vishing, or voice phishing, occurs when an attacker attempts to access personal information from targets via phone call or VoIP. This social engineering method usually creates a sense of urgency to convince the victim to give away sensitive information without critically evaluating the source or motive of the phone call. Now even though modern telephony systems have caller ID technology, attackers will usually use a spoofed ID so it looks as though the call is coming from a trustworthy source.

A typical scenario is often when a social engineer, posing as a legitimate entity — usually a bank manager — calls and alerts a potential victim about some unusual transactions made on their account. After gaining the victim’s attention and trust, the fraudsters ask for personal information, PIN numbers, and/or answers to security questions for ‘verification’ purposes. Before realising it, the victim has lost thousands of dollars from their bank account.

It’s often very difficult to tell whether the call is a vishing attempt. Social engineers are normally prepared and can put on a persuasive performance. But as a general rule, be extremely careful of giving away personal information over the phone. If a bank makes a suspicious call, hang up, use a different phone, and call the number on the back of your credit card to confirm the legitimacy of the call.


sms-scamMuch like the previous social engineering methods; smishing, or SMS phishing, is the act of sending a fraudulent text message in an attempt to trick individuals into disclosing personal information. ‘SMiShers’ either attach malicious links to text messages or ask the target to call a phone number where vishing attempts will be made.

SMiShing is becoming a popular method to steal personal information purely because of the sheer number of mobile phone users in the world. Text messages are expected to be informal and abbreviated; so the chances of mistaking dangerous URLs for innocent links can be high. Banks also tend to notify and disseminate credit card transactions via text nowadays, so it’s much harder to tell the difference between a smishing attempt and the real thing.

In that case, be cautious of unsolicited text messages, especially from unknown numbers. Like vishing, if a bank SMS urges you to call a specific number, call the bank using the number at the back of your credit card or bank statement.

Always be aware

There are plenty of cyber threats in the modern world. Thankfully we have antivirus programs, encryption tools, and intrusion prevention systems to keep us safe. But as you’ve found out here today, there’s an even larger threat just around the corner. Phishing, vishing, and, smishing may sound like funny, colloquial terms, but by no means are they anything to laugh about.

According to the Ponemon Institute, the average cost of a successful social engineering attack is $23,200. That’s a financial loss that is easily avoidable with safe web practices; the latest anti-phishing software, and advice from a trusted managed services provider. Social engineering is turning out to be one of the worst and most frequently used cyber-attacks in the world.

Avoid the cyber security disaster, and team up with the security consultants at Empower IT? We can give you expert advice on how to deal with phishing, smishing, and vishing; that’ll have attackers wishing they never messed with your business in the first place! Contact us today to find out more.