Smishing and Vishing and Whaling — Oh My

Smishing, vishing, and whaling might sound ominous, but they are simply terms used to describe different types of phishing attacks. Find out how these attacks differ from the classic phishing scam.

Most people associate phishing attacks with those annoying emails that pop up in their inboxes. These emails might warn you about the impending closure of your bank account (even though you do not have an account there) or let you know that you won the lottery (even though you never play it). Because they miss the mark, the scam is easy to spot.

Although cybercriminals typically use emails to carry out phishing attacks, other deployment methods can be used. For example, a hacker might carry out a phishing attack via text message or phone call. Plus, not all phishing scams are so easy to spot. They can be highly personalized, making it much harder to discern their legitimacy.

People have come up with terms like smishing, vishing, and whaling to describe the different types of phishing attacks. To understand the distinctions between them, you first need to understand what phishing is.

 

Phishing

Phishing is a form of fraud in which cybercriminals:

  • Masquerade as a reputable person or a legitimate organization.
  • Use psychological manipulation to get victims to divulge sensitive information or perform certain actions. In other words, the hackers use social engineering to get what they want.
  • Use a phishing scam as either a standalone attack or part of a larger attack. An example of the former is a phishing scam designed to get victims to divulge bank account login credentials, which the cybercriminals use to steal money from those accounts. An example of the latter is a phishing scam designed to get victims to visit a website that installs ransomware on their computers, after which the cybercriminals execute the ransomware to hold the victims’ data hostage.

These three characteristics are common to all types of phishing scams, including classic phishing, spear phishing, whaling, vishing, and smishing. What differentiates these five types of phishing are the deployment methods used, the intended targets, and the level of personalization.

 

Classic Phishing

The phishing scam’s roots have been traced back to the days when America Online (AOL) was in its heyday. In 1995, a group of hackers came up with a scheme to steal money from AOL users. Posing as AOL employees, they sent messages to numerous users through the service’s email and instant messaging systems. The messages asked users to either verify their account details or confirm their billing information. “More often than not, people fell for the ruse,” according to phishing historians. “After all, nothing like it had ever been done before.”

Many of the techniques used in the AOL phishing attacks are still being widely used today. In these classic attacks, cybercriminals send out phishing emails to the masses so people might get them in their personal email accounts or company email accounts. Because the same email is going to numerous people, the message is not personalized. As a result, the message might not even apply to the recipients. For instance, the email might warn the recipients that someone has hacked into their PayPal account but some of them might not have an account with that online payment service.

Classic phishing scams often try to get the email recipients to click a link, which leads to a malicious web page. The page might try to trick them into entering their credentials or it might install malware on their devices.

Another way hackers get malware on victims’ devices is by attaching a weaponized file to the phishing email. Opening the file typically triggers a process that installs the malware. PDF files, Microsoft Word documents, Microsoft Excel spreadsheets, and archive files (e.g., ZIP, RAR) are often used for this purpose. For example, in the second quarter of 2020, cybercriminals used a weaponized archive file to install malware that created a backdoor on victims’ computers, allowing the hackers to remotely access those devices. To get people to open the file, the hackers pretended to be a Global Express customer service rep. The email said that the recipient’s shipment could not be delivered because of mailing restrictions imposed by the government due to the Coronavirus Disease 2019 (COVID-19) outbreak. The attached archive file supposedly contained the documentation and a new tracking number for the shipment. In reality, the file contained the backdoor malware.

 

Spear Phishing

Like classic phishing attacks, spear phishing scams are typically carried out through emails. However, cybercriminals send significantly fewer emails because spear phishing scams take a more personalized approach. Instead of sending a generic email to the masses, the cybercriminals target specific individuals and personalize the emails sent to them. The emails typically include the target’s name and present the call for action (i.e., the action they want the person to take) in a context that makes sense to the recipient. Businesses are most often targeted, which is why this type of attack is sometimes referred to as a business email compromise (BEC) scam.

To personalize the emails, cybercriminals perform a lot of research. They often get information about the targets from company websites, social media sites (e.g., LinkedIn, Facebook), and Internet searches. In sophisticated spear phishing scams, though, hackers might do much more than conduct research. For example, in preparation for an attack on a Wisconsin business, a group of hackers created a fake corporation. The scammers then opened several real bank accounts for it, including an account at a bank in Florida.

In this scam, the hackers were claiming to be one of the business’s real-life vendors. Posing as the vendor’s credit manager, the scammers sent an email to the accounting manager at the Wisconsin business requesting that all invoice payments be sent to the vendor’s international account rather than the usual account due to problems with the latter. The accounting manager responded, noting that he would not be able to send money to an international account. The scammers wrote back, saying that this wasn’t a problem and he could instead send the payments to another one of their accounts — an account at bank in Florida. The accounting manager ended up authorizing a payment of more than $1.6 million to the scammers’ account.

 

Whaling

A whaling attack is basically a spear phishing scam, except the target is a high-level official, such as a company’s chief executive officer (CEO) or chief financial officer (CFO). In these scams, cybercriminals often try to trick the target into authorizing high-value wire transfers.

Because the stakes are high, advanced technologies are sometimes used in whaling attacks. For example, in 2019, a deepfake recording was used to con a CEO into transferring $243,000 to the attackers’ bank account. Deepfakes are counterfeit audio or video clips of people that appear to be real. They are called deepfakes because the fake clips are usually created with a form of artificial intelligence (AI) known as deep learning. In this case, a deepfake audio clip was used to impersonate the CEO’s boss. The impersonation was so accurate that the CEO did not suspect it was a recording.

 

Vishing

The term “vishing” is short for “voice phishing”. In vishing attacks, hackers call their targets instead of sending emails to them.

In vishing scams, hackers often send a generic message to the masses. They do so by recording a message and using an auto dialer to deliver it. These robocalls are often used in tech support scams and scams to steal personal information.

Although not as common, hackers sometimes carry out personalized attacks against specific targets. Businesses tend to be the mark in these customized attacks. For example, in July and August 2020, companies were the target of a vishing scam serious enough to warrant a joint cybersecurity advisory from the US Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA). In this attack, cybercriminals devised an elaborate scheme to get a company’s remote workers to reveal their virtual private network (VPN) login credentials. The attackers then used the credentials to access the company’s network in order to steal data.

In personalized vishing attacks, scammers often use caller ID spoofing to help convince the victim that the call is legitimate. Similarly, they often include tidbits of information about the victim in the conversation to gain the person’s trust.

 

Smishing

The term “smishing” is derived from the words “SMS” and “phishing”. In this type of attack, cybercriminals send Short Message Service (SMS) messages — better known as text messages — to their targets. They pretend to be banks, government agencies, tech support staff, or some other entity in order to con people into doing what they want.

Given that text messages can only be 160 characters long (without concatenation), it is not surprising that most smishing messages are devoid of personalization. On occasion, though, the hackers might include the target’s name.

Smishing scammers try to get their marks to perform an action such as clicking a link. This is what some hackers in Ohio wanted people to do. The hackers pretended to be the Fifth Third Bank, which had recently introduced new cardless ATMs that enabled customers to get cash using their mobile phones rather than debit cards. The scammers sent out a text message informing the recipients that their Fifth Third Bank accounts have been locked. To unlock them, the text recipients were told to click a link. It led to a spoofed Fifth Third Bank site, where the victims were prompted to enter their bank account credentials (username, password, one-time passcode, and personal identification number) to unlock their accounts.

Around 125 people fell for the ruse. The hackers used the stolen account credentials to add a new phone number (the number for a smartphone in the hackers’ possession) to each victim’s account. The hackers then used the smartphone to withdraw money from the victims’ accounts using the new cardless ATMs. In all, $106,000 was stolen.

 

Knowledge Is Key

No matter the specific type of phishing attack, scammers use psychological manipulation to get what they want. One of the best ways to avoid becoming a victim of their mind games is to learn about the different tricks they use. If you would like more information about the tricks used in classic phishing, spear phishing, whaling, vishing, and smishing scams, let us know.

 

Cryptocurrency Criminals flickr photo by Infosec Images shared under a Creative Commons (BY) license