Phishing, smishing, vishing: it all sounds like some silly children’s game, doesn’t it? But it’s anything but silly. All three are variants on social engineering: tricking someone into doing something they wouldn’t normally do, and putting both themselves and their employer at risk. That’s a serious crime and can have serious consequences.
Before diving into advice on what you should do about these threats, here are some definitions to start with.
What Is Phishing?
Phishing happens when the social engineering occurs over email: something comes into your inbox asking you to click on a link to change your password, or confirm a delivery address, or verify a transaction. Click on that link and you’ll get redirected to a web page that asks you for information: a username, password and possibly all sorts of other personal data. Except that web page isn’t what you think it is, but a dummy page controlled by some criminal intent on stealing your personal information.
Sometimes phishing doesn’t ask for information, but the click downloads malware instead, or the email comes with malware in an attachment — which you have to click to open. In any case, the result is a security breach, and the root technique was social engineering via email. When phishing is aimed very precisely at someone in your company with a highly personalized message, it’s called spear phishing — because that’s how you catch the really big fish.
What Are Smishing and Vishing?
Smishing — so named because text messages were originally known as Short Message Service (SMS) messages — has the same goal, but the delivery mechanism isn’t email. Instead, the link comes in via a text message, or one of the many messaging-style apps: WhatsApp, Facebook Messenger, Signal, Google Hangouts, Telegram, Viber, Skype, Twitter DM, Line, WeChat, SnapChat … the list goes on. The result, though, is the same: a request to click on something, and stolen credentials or a nice piece of malware aimed right at your phone.
Vishing is a little different: it’s social engineering via voicemail, where the goal is either to get you to call some obscenely expensive phone number or information service with your mobile phone or just get you on the line to be sweet-talked into giving up your credit card number.
Solving social engineering is hard because, generally, people want to trust each other and be helpful. But to reduce the risk of phishing, smishing and vishing causing a security breach, think along three axes of defense: your people, your network and your devices.
Armor Your People
The best defense against any social engineering attack is an educated user community. The smarter your staff are about various kinds of attacks, what they look like, and what to do when one is seen, the better off you are. There is no technical defense you can find that will be as strong as a smart human being. To help vaccinate your users against these attacks, think about multi-channel education. No single approach will work and everyone learns differently. This means a constantly rotating set of educational tools: presentations, memos, short training courses, newsletter articles, screensavers and even person-to-person visits.
Use tools such as fake phishing campaigns to help educate staff, and to identify those who might benefit from a gentle in-person visit and some one-on-one training. Our post on mobile security training has other ideas you can use.
Armor Your Business
You’ve already got the usual perimeter and network defenses: mail security gateways keeping phishing (but not smishing!) from coming in, proxies and URL filters trying to keep users off malicious web sites, and SEIMs watching events to create a monitoring and reporting layer. But what else can you do to protect the business from phishing and smishing?
Your number-one defense is multi-factor authentication. Why? Because the results of phishing and smishing are almost always credential theft. By making usernames and passwords useless to a thief, and shifting to multi-factor authentication, you’ve mitigated the risk of the attack.
Not all phishing goes after credentials, however. Sometimes attackers go for the quick hit by trying to steal credit card numbers, a more personal attack than one aimed at the business. When your applications and users are on mobile devices, biometrics are a great second factor.
A second common attack delivered via phishing and smishing is ransomware: a piece of malware that encrypts everything accessible to the victim. Help to defang ransomware by ensuring that personal devices never have significant amounts of valuable information, and that continuous data protection — not nightly backups — or a versioning data store (such as Microsoft SharePoint) is in place to allow you to quickly recover from any corrupt data caused by ransomware.
Armor Your Devices
Laptops usually have endpoint security solutions on them to help protect against malware, and this same protection can be extended to mobile devices — although the jury is still out on whether this is truly effective. That doesn’t mean you shouldn’t be looking at options to help protect devices against smishing, a different type of attack vector.
Because smishing can come via so many different messaging applications, one way to protect the device itself is to put a cloud-based URL filtering and anti-malware service between the device and the internet. By configuring a mandatory URL filter as a proxy in your Mobile Device Management (MDM) tool, you’ve got someone out there looking at every click, no matter where it originates — as long as the on-device application respects these settings. Test with the most popular tools, and consider blocking applications (again, in the MDM tool) that don’t respect the device’s security configuration.
IT managers can try specific suggestions, such as the ones above, to help immunize against phishing and smishing attacks. But the best strategy is a customized one. Look at the three places to protect yourself: users, systems and applications, and devices, and add your own ideas matched to your own environment.
Gaps in enterprise security can be devastating. Take our mobile security assessment to find out if your company is covered — and how you can stay ahead of the curve.