SPEAR PHISHING:, as defined by the U.S. Director of National Intelligence, is a type of phishing campaign that “targets a specific person or group and often will include information known to be of interest to the target, such as current events or financial documents.” Like other social engineering attacks, spear phishing “takes advantage of our most basic human traits, such as a desire to be helpful, provide a positive response to those in authority, a desire to respond positively to someone who shares similar tastes or views, or simple curiosity about contemporary news and events.”
VISHING: Vishing is a type of phishing in which the attacker tries to gain information from the user through a phone call or voicemail. “Like phishing, the attacker will call under the guise of a legitimate business to get the user to take an action,” Glenn says.
SMISHING: With smishing, another type of phishing, the attacker attempts to reach the user through SMS text messages, professing to be a legitimate contact and hoping the intended victim will click on a malicious link on his or her mobile device.
How Can You Protect Your Organization from These Attacks?
The best way to prevent the risks from phishing, vishing and smishing is a combination of cybersecurity tools, education and practice to help users recognize and thwart these attempts, Glenn says.
Phishing is the easiest to protect against at the endpoint, France notes. Users are typically protected by either the mail server or phishing prevention software (including anti-virus, anti-malware and anti-spam tools). Spam and phishing filters can be “helpful at identifying unknown IP addresses as well as patterns in the text of the email, essentially helping to filter out a good portion of malicious emails,” Glenn says.
“These anti-phishing tools are able to identify anomalies such as unknown addresses, recognize context and tone, and uncover hidden malware in any attachments,” she adds. “However, tools like these are only likely to work on company-managed devices and email platforms and are not going to be effective on voicemail or SMS-based phishing.”
Indeed, France notes that vishing and smishing are “a little more complex, as companies don't typically control the communication medium, so good education is critical to raising awareness. The user must know what to look for or detect, and how to report the threat.”
Educating users about phishing is a multipronged effort, Glenn says. First, companies need to provide regular cybersecurity training that teaches users how to recognize phishing and vishing attempts by demonstrating anomalies or showing examples of suspicious-looking texts.
“Second, while familiarizing users with indicators to look for is important, it’s almost more important to help them practice good security behavior,” Glenn says, so they can put all that training to good use. “This helps them build ‘muscle memory’ to respond appropriately to these emails.”
Users should be advised to slow down a bit “to check for these indicators and think critically about the email, message or phone call they are getting to see if makes sense,” says Glenn.
The final part of education is building good cyber hygiene habits, Glenn says. This includes “helping users to think about how and where they are providing their contact information and how it may be used.”