Blog
How Not To Get Hooked By Mobile Phishing
29/04/2020
If you have read our previous blog How Not to Get Hooked by Phishing you will hopefully be an expert on what Phishing is and how the cyber criminals can hook you using both Email and Spear Phishing. If your knowledge is a little rusty or you missed our blog pop back and give the article another read here.
Mobile devices have become an integral part of our everyday life and if you are anything like me the organisation of both your home and work life is stored on your mobile. Mobile Phishing attacks have increased by 85% every year since 2011* and are gaining momentum as a corporate attack vector. Implementing a company-wide security-awareness training campaign can help make sure company employees will not make costly errors with information security. You can find out more about our Phishing attack training here.
In this month’s blog we will cover two forms of Mobile Phishing. Read on to find out how you can identify these attacks and how you can keep your data safe.
Vishing
Vishing is the phone’s version of email Phishing and can use automated voice messages or calls in person to steal confidential information using a fake caller ID. An attack may happen in the following way:
- The fraudsters will call pretending to be from a trusted source such as a bank employee
- They will create a sense of urgency asking you to share personal data such as bank account numbers or passwords with them or by asking you to dial a number to then share the information
- Once the fraudster has gained this information, they will have easy access to your accounts and finances
How to spot a Vishing Attack
View the below video of a reconstruction of a Vishing attack on a small business where the fraudster attempted to gain access to their confidential data to commit fraud.
Remember that a fraudster carrying out a Vishing attack will:
- Aim to catch you by surprise with an unsolicited call
- Will try to gain your trust
- They will convey a sense of urgency hoping you will react to their request for information
What to do if you think you have been contacted
If you think the call is fraudulent, just hang-up the phone. After, contact the organisation through a number you know to be correct that is shown on a bill, statement, phone book or published on a website you know to be legitimate. If there was a genuine issue, they can then help you accordingly but be careful as scammers can hijack your phone line so wait a few minutes before you call them.
If you find you have provided personal data to a fraudster contact the real organisation right away. They will then advice you of the best next steps.
If you have lost money as a result of Vishing you can report it to Action Fraud.
Smishing
Smishing attacks use short mobile phone text messages to carry out an attack. A Smishing text will encourage the victim to reveal personal data via a link that leads to a Phishing website. An attack may happen in the following way:
- The fraudster sends a text message to the intended victim encouraging them to open a link implying the need to take urgent action or to take advantage of an offer
- Once the victim opens the link it will request the user’s personal data, a virus or Malware is downloaded onto the mobile phone
- This then allows the attacker access to your personal data which could also be used to gain entry to online or bank accounts
Examples of a Smishing Attack
What to do if you think you have been contacted
If you think you are a victim of Smishing never click on any links in the text message or respond to it. If you are in doubt call the real organisation to check the authentication of the text message using a contact number you know to be correct.
You can report spam text messages directly to your mobile provider free of charge by forwarding them to 7726 from the device you have received them on. Which also offers an online reporting service for scam text and phone calls find out more here.
If you have lost money as a result of Smishing you can report it to Action Fraud.
Update your Awareness Training
One of the best ways to make sure company employees will not make costly errors with information security is to implement a company-wide security-awareness training campaign. NCI Technologies offers the best-in-class simulated Phishing attack training for businesses. This training is delivered through an automated email campaign that uses email templates of real-world attacks. It is completely safe and will highlight who is susceptible to Phishing and can auto enrol those users in more targeted security awareness training.
For more information you can download our security awareness training data sheet here or contact us.
Stay tuned for further blogs where we investigate the other variant, Phishing campaigns to keep a watchful eye out for.
Sources
*https://www.knowbe4.com/phishing
https://www.itproportal.com/features/ten-types-of-phishing-attacks-and-phishing-scams/
Share
Comments
Leave a comment below