What Are Phishing, Smishing, Vishing in Cyber Security

What Are Phishing, Smishing, And Vishing

Phishing, Smishing, and Vishing are each a type of cyber attack where an attacker will send a message in an attempt to trick victims into following a fraudulent link, install malicious software, or steal private information.

The messages an attacker sends can be through email, messaging apps, scam text messages, phone calls, social media accounts, and other forms of communication.

The aim of these types of attacks can be to steal personal information, and financial information, and gain access to devices and account information.

Initial messages are often sent to large sets of contact details acquired through online sources. Phishing scams form the most common form of cybercrime, with an estimated 3.4 billion phishing emails sent each day.

Phishing Attacks

Phishing is the term often referring to fraudulent emails. Emails are crafted to encourage recipients to follow malicious links, enter their credentials, download software, or carry out other actions.

Phishing has become more sophisticated over time, with modern iterations beginning to use AI to generate more convincing messages.

In general, Phishing is largely an untargeted attack. This involves sending the same emails to a large set of possible email addresses that can cover regions of the world, specific industries in business, or employees with certain roles.

With untargeted attacks, the larger the initial set of users, the more likelihood there is that a small percentage will be successful, and with a roughly 18% click rate on Phishing emails, it continues to make the attack worthwhile.

Clone Phishing Attacks

Clone Phishing is a slight variation of traditional Phishing techniques, which is more targeted towards individual organizations.

A Clone Phishing attempt may aim to receive a genuine email from a company and then clone the exact email template, including messages, images, and signatures.

The email attachments, embedded links, or invoice information are then altered to those of the attackers, and the email can be used to impersonate a legitimate company.

As a Phishing scam becomes more sophisticated and targeted it often has a higher click rate, and some testing companies report a click-through rate of around 50% with their tests conducted using Clone Phishing techniques.

Angler Phishing Attacks

A slightly more modern variant of Phishing is for attackers to use social media to directly message other users. As these platforms are outside of the control of companies it is often easier to bypass many security measures that may be in place for emails.

Angler Phishing techniques can take on many different methods and can include impersonating customer service agents or tech support for companies where the user’s social media messages have indicated using them.

Spear Phishing Attacks

Spear Phishing is the more targeted form of a Phishing attack. Unlike general Phishing which targets email addresses in large batches, Spear Phishing targets specific individuals or specific businesses.

Spear Phishing typically involves more research and planning and so produces a more sophisticated and convincing attack method. The messages are customized using relevant information and referencing other individuals within the organization, products that are used, or projects and clients that are worked with.

While the overall volume of Spear Phishing can be less than Phishing, this type of attack is often used by hacking groups and has a higher click rate than Phishing, with around 18% of Phishing campaigns being clicked, and around 53% of Spear Phishing campaigns being clicked.

Whaling Attacks

Whaling is a further more targeted version of Spear Phishing attacks, with the targets becoming specific high-profile individuals within organizations such as directors, shareholders, and executive roles.

Whaling attacks will involve more extensive research than other types of Phishing attacks to provide as much legitimacy and personalization to messages as possible and therefore increase the likelihood of their success.

Whaling attacks can often use other forms of attack to establish some initial access and make the Whaling attack more convincing. Phishing or Spear Phishing attempts may be made to compromise some initial user accounts, and these accounts are then used as part of the Whaling attack.

Smishing Attacks

A Smishing attack is a variant of Phishing that relies on SMS text messages rather than email messages.

The objectives of SMS Phishing are the same as Phishing, to convince users to follow a malicious link, open documents or disclose information and credentials, through the initial attack vector of Smishing text messages.

Vishing Attacks

A Vishing attack is another variant of Phishing that utilizes voice calls and voice messages rather than delivering their message over email.

With a Voice Phishing attack, the attacker aims to use phone calls to guide victims through a process to disclose information, banking details, or other sensitive information.

Quishing Attacks

Quishing is a further variant of Phishing that makes use of QR codes as their attack vector. The QR codes can still be delivered through email, however, many email filters are designed to look for malicious links and inspect text or URLs.

As QR codes are transferred as images, they can often bypass many filters and make their way into a user’s inbox. Once the QR code is scanned by the user they are then sent to the malicious site.

How Common Are Phishing, Smishing, And Vishing Attacks

There were around 255 million Phishing campaigns in 2022 with more than 70% of these emails being opened by the recipient.

The Mimecast State of Email Security 2023 report shows that of the companies surveyed 97% confirm that they have received Phishing attacks via email.

Around 80% of the companies that responded to the survey reported that a security incident had resulted in the initial compromise spreading to other user accounts.

How Successful Are Phishing, Smishing, And Vishing

The estimated rate for which a user follows links provided in a Phishing email is estimated to be around 18%, increasing to 53% with Spear Phishing.

Around 1 billion unwanted SMS messages are sent every minute globally, and between 9-14% of people will unfortunately follow the links provided by a text message.

Vishing can have a higher success rate of around 26% and has been increasing in volume, with roughly 68.4 million victims of phone scams reported in America in 2022.

Phishing Incidents May Be Unreported And Go Unnoticed

With a security incident, it is not always apparent, such as with ransomware locking the affected device. Only around 27% of attacks were found to be disclosed by the attacker through ransomware or other means.

Security breaches are more likely to be discreet and go unnoticed by the affected individuals or companies. In these instances, a compromised account or device may be used to harvest data or maintain persistent access.

In cases such as this a third party may identify the breach, in about 40% of cases, or a company’s own internal teams may identify the breach, in around 33% of cases.

It is estimated that on average it takes 241 days to identify and contain such a breach.

What Does Phishing, Smishing, And Vishing Achieve

Financial Motivations

The ultimate goal of most types of cyber attacks is largely financially motivated. This may aim to directly receive financial returns from the victims of the attack, such as in the case of ransomware, or gather bank details and account numbers.

In many cases, the financial rewards can be obtained through the sale of your data, your credentials, or access to your business.

Credentials

Stealing credentials is a common attack strategy for many Phishing scams. An attacker’s aim will be to lure you to a website they control, which has the appearance of legitimacy.

Once there, a login prompt is presented to access a service you may be familiar with, this will result in the attacker collecting the credentials that are entered, and can even be set up to replicate an MFA prompt.

Credentials can later be sold in bulk to third parties or used as the basis of more targeted attacks such as Spear Phishing and Whaling.

Sensitive Information

Information related to your business, bank account, or personal details is often targeted for collection. This may be for sale to third parties, but can also be part of an initial information-gathering stage of a more sophisticated and targeted attack.

The more specific and useful the information and private details gathered in the initial stages of an attack, the more likely this can result in a more successful targeted attack.

Persistent Access

Persistent access to accounts and devices can be used for several different methods.

• Further Attacks using compromised devices as an access point to target internal systems or other employees.
• Botnets are created from an attacker-controlled network of compromised devices. A botnet can be used for attacks such as Distributed Denial of Service (DDoS).
• Monitoring and Information Harvesting can be conducted on compromised devices. This can include recording keystrokes, copying authentication data, copying financial details, or copying files.
• Selling access to third parties who may have their own targeted attacks they wish to conduct, and a previously compromised device will save time and effort.

What Is The Cost Of Phishing, Smishing, And Vishing Attacks

As incidents of Phishing can go undetected or unreported the actual numbers will be estimates based on known incidents and the overall average can be impacted by large high-profile cases.

The true cost of any security incident to an individual company can vary for many reasons. The global average for a company is estimated to be around $4.35 million and the global cost of cybercrime is around $8 trillion.

There are some common impacts that should be taken into consideration when weighing the cost of recovery compared to the cost of protective and preventative actions.

• How long will it take to recover from a security incident and how much downtime for services and business operations will this have?
• How much will need to be invested in internal staff costs, third parties, or new equipment and software to resolve an issue?
• What reputational damages will a security breach have for your company and your existing or future clients?
• Depending on the security incident, legal costs and fines can quickly add up. Even large companies may not recover from such incidents, with Mossack Fonseca closing down in the aftermath of the Panama Papers security incident.

Examples of Phishing, Smishing, And Vishing

Phishing

Google and Facebook were both impacted by a Phishing attack, where an attacker impersonated an existing company and provided falsified invoices. These invoices were paid and resulted in losses of over $100 million.

Smishing

During the COVID-19 pandemic, many Smishing scams and other Phishing attacks sharply increased as attackers sent scam text messages aimed at utilizing the health crisis for their own benefit.

Many people began receiving a text message regarding Covid related fines, or even claims of financial aid, encouraging people to click on links and enter their information.

Vishing

Many vishing scams are reported around tax periods, claiming to be a government representative and stating that taxes have not been paid or have been underpaid.

These fraudulent calls often involve a scammer impersonating a government department to apply pressure on unsuspecting victims while they instruct the victims to follow their instructions and comply with providing sensitive data or paying fines.

Quishing

A US-based energy company received a large number of emails that contained QR codes that targeted a user’s Microsoft credentials.

The QR codes would guide users to a webpage imitating the appearance of a Microsoft login portal, where credentials were then collected by the attackers.

Whaling

Over $17 million was stolen from Schoular as part of a Whaling attack aiming to target high-level individuals in a falsified mergers and acquisitions deal.

Bypassing MFA With Phishing, Smishing, And Vishing Attacks

Even with Multi-Factor Authentication (MFA) enabled on your accounts, it is still possible to fall victim to a Phishing scam and have your accounts compromised.

While Multi-Factor Authentication (MFA) should be used wherever available for your accounts, this does not provide complete protection from Phishing, and other security measures, and security awareness training should still be conducted.

Bypassing MFA Login Portals

The 2024 State of the Phish report from Proofpoint shows that over 1 million Phishing attacks are launched every month using tools to bypass MFA.

An MFA bypass technique still involves initial Phishing strategies and sending malicious links, however, the link provided is designed to replicate the process of logging in to your legitimate accounts using MFA.

• The login prompt will initially appear to be the same, however under scrutiny the URL will not be for the legitimate company.
• The username and password credentials you enter into the fraudulent website will be sent, by the attacker, to the legitimate website.
• The prompt for an MFA code will then be presented to you by the attacker’s site, and the attacker will also send this code to the legitimate login location.
• The attacker will have created their own login session with the legitimate site, using the credentials and code you sent to the attackers.
• This process, to forward credential information to the legitimate site, will be automated to ensure that the MFA codes provided will be used within the required timeframe.

In some cases, the attacker will even have a process in place to redirect the user back to the legitimate site once they have provided their login details.

This will result in the user needing to repeat the login process or the attacker will be able to log them into the site automatically, using the created login session, and make it appear as if no malicious activity has occurred.

Identifying Phishing, Smishing, And Vishing Attacks

Signs of Phishing, Smishing, And Vishing Scams

Where you receive a message there are several indicators to look for which can help with identifying a potentially fraudulent request.

Malicious Links

In most instances, Phishing can be identified through the links that are provided, as often an attacker will set up a similar name to that of a legitimate company, but with some variations in letters or names.

Some scrutiny of the provided links and domain names can often identify this type of Phishing, and in many cases, it is a good security practice to not follow links from unexpected emails but to navigate to the company web page directly.

Urgency

For many attacks, creating a sense of urgency is heavily relied upon in the language which is used. This can be with threats of fines, legal action, or an urgent task at work, and can even warn you of a suspected security breach or compromise that you need to take action to resolve.

This urgent language is used to cause fear or panic, and prompt people to respond without considering the potential risks of following the fraudulent links provided or downloading the malicious software attached.

Spelling and Grammar

While poor spelling and grammar have often been relied on to identify suspicious messages, with the development of AI and freely available tools such as ChatGPT, it should not be relied upon to detect fraudulent emails.

Well-formatted messages can also be part of a Phishing campaign, particularly with more targeted and sophisticated attacks.

Generic Introductions and Greetings

Many generic messages or greetings have often been used to identify fraud, however, this also should not be relied upon to spot Phishing.

While some initial Phishing messages may be impersonal, many will automatically collect names and contact information from sources such as Linkedin, and tailor the message to people who work at companies.

Spear Phishing and Whaling attempts will also be based on a large amount of research and information gathered about their targets. Generic messages alone shouldn’t be relied upon as targeted personal messages can be used.

Avoiding Compromise From Phishing, Smishing, And Vishing

While there are methods to limit the number of Phishing messages you receive and you can conduct staff training to identify these types of attacks and prevent Phishing, security incidents can still occur. In addition to training and preventative actions, an incident response plan should also be put into place.

The following measures can be used to reduce the number of potential security issues which you may have to resolve.

Staff Security Training

In addition to staff security awareness training, there are tools available to simulate Phishing attempts and train your staff on how to identify these types of attacks.

The following are examples of companies that offer Phishing simulations for training purposes.

• KnowBe4
• ProofPoint
• Microsoft Defender

Credentials

While it is always recommended to use strong and unique passwords, if a user enters their credentials into a Phishing site, those account details will inevitably be compromised.

Unique passwords for all of your other accounts can limit the extent of the compromise, and utilizing MFA can provide another barrier to compromise, although there are bypass methods for this as described above.

Direct Contact

If you receive a suspicious message claiming to be from someone you know or a company you know, reach out and contact them through alternative methods that you have used before and are trusted.

You can then verify the request directly and not through the contact information or links provided in the suspicious message.

Reporting Systems

If any messages are suspected, for any reason, have a dedicated process within your company to flag and report these messages for further investigation.

A dedicated email inbox to forward messages to, a chat group, and known individuals responsible for reporting to can each be set up to allow users to raise concerns over any messages they receive.

Use Phishing Filters

Many email services and third-party companies have tools available to identify suspected Phishing emails and to filter them, so they don’t appear in a user’s inbox. Making use of these tools can vastly reduce the number of spam messages you receive.

Use File Attachment Filters

Email services and third-party companies have filters to limit the emails you receive based on the file type that is attached. For most of your day-to-day business, there is likely a very small number of files such as Word documents or PDFs which you may expect.

You can restrict other file types to reduce the potential for malicious file attachments to arrive.

Setup Antivirus software

In the event a malicious file is downloaded, antivirus software can be used to identify and block files from running on your device.

Use Accounts With Limited Permissions

Where a malicious file does execute, limiting the damage it can do is a priority. Malicious files will initially execute under the permissions of the user who runs the file.

Setting up your day-to-day user accounts under the principle of least privilege, with limited permissions, can help minimize the permissions, access, and damage that any malware can cause.

Maintain Updates

Some malware can seek to target known vulnerabilities in outdated operating systems or software. Although the initial malware’s permissions may be limited, by exploiting outdated systems it can allow the malicious software to raise its own permissions on your devices.

Maintain regular updates for all of your systems to prevent any malicious software from exploiting known vulnerabilities in your devices. Regular vulnerability scans of your devices can be run to confirm this.

Utilize encryption

For your important data, maintaining its security can be critical. In the event a user account is compromised, additional layers of protection can be set up around your confidential information.

Encryption can be used to create an additional authentication barrier around your data and prevent a compromised account from being able to directly access your sensitive information.

Combination of Tactics and Techniques

For many attacks, there will be variations, slight updates to techniques, and a combination of different attack vectors such as Phishing, Smishing, and Vishing used together to initially gain access to your systems and then progress the attack towards Spear Phishing and Whaling attacks.

A security strategy and a company’s security awareness training program should take into account the different attack strategies and attack methods that exist, and ensure their users understand the risks, how they can be targeted, and how they can avoid such attacks.

Conclusion

The first Phishing scams are considered to have started in the 1990s. This was part of an AOL scam, where administrators were impersonated in an attempt to gain access to the login credentials of legitimate users.

Since this time, after almost three decades, Phishing has drastically increased in its prevalence and evolved into multiple variations, using almost all messaging formats that are available.

While many attempts are easily identifiable, more sophisticated attacks can appear indistinguishable from a legitimate message, and the development of AI removes a complexity barrier for many to also begin using more sophisticated and convincing Phishing techniques.

While there are many defensive tools and security layers that can be employed to protect yourself and your business, which should be done, one of the biggest impacts on improving your security is to set up a security awareness training program.

Ensuring all your teams understand the different types of risk, how and why they can be impacted, and how to avoid such issues can significantly reduce the likelihood of your organization falling victim to a Phishing attack.

Where you have any further questions regarding different cybersecurity solutions, our consultants are available to address any concerns you may have.