It might seem that computer types are just having fun when you hear terms like “phishing, smishing, and vishing” But these are actually three distinct types of social engineering attacks.
Phishing in all its forms is the number one method of cyberattack. It enables all types of different breaches, such as ransomware, data theft, credential theft, and more.
Not only is phishing prevalent in all industries, but the construction industry is also particularly susceptible due to the mobility of its team and the use of smartphones for email. Users can’t always hover over suspicious links when viewing a message on a smartphone like they can when using a mouse on a desktop computer.
75% of surveyed professionals in the construction, engineering, and infrastructure industries stated their company had experienced a cyber-incident within the last 12 months. Most of these attacks originate from phishing in various forms.
Before you can combat phishing, smishing, and vishing, you need to understand what they are.
What is Phishing?
Phishing is the catchall term for messages sent to a person that are socially engineered. Social engineering is a tactic of manipulating a person to get them to do something you want, in the case of cybersecurity, it’s to click a link or download a file attachment, which initiates a cyberattack.
The manipulation tactic most used is a fake message. It could urge a person to update their email password before their account is locked. Or it might be something that looks exactly like a credit card offer from a bank or an order receipt from Amazon.
Phishing has become more sophisticated over the years so it’s difficult for untrained employees to spot. Approximately 31.4% of untrained employees will fail a phishing detection test.
There are more ways to receive messages than just email, which brings us to two hybrids of phishing, which we’ll discuss next.
What is Smishing?
Smishing is a combination of “phishing” and “SMS,” aka phishing by text message. Smishing is on the rise and unfortunately, many users are unprepared.
While many people know by now to be suspicious of strange email messages, they don’t yet expect to get phishing via a text message. And with the increased SMS traffic we get now (shipping notices, prescription refills, banking alerts), phishing attackers have taken the opportunity to elevate their game.
Mobile numbers are no longer as private as they used to be, as illustrated by the increasing number of robocalls people receive to their cell phones. This is another driver that is fueling the rise of smishing.
What is Vishing?
Vishing is the combination of “phishing” and “voice,” also known as phone and voicemail phishing. This is when an actual person or automated voice will call you and attempt to trick you into giving up credit card details or other sensitive information or downloading something onto your computer.
Common vishing scams include the “Tech Support” support scam. Where someone will claim to be from Microsoft or Apple and say something is wrong with your computer. The IRS is also often impersonated in vishing scams to try to scare people into paying for “back taxes” over the phone.
The Importance of Employee Training in Fighting All Three
What phishing, smishing, and vishing all have in common is that they are targeted at human beings. It’s much easier to trick a person into inviting malware into their system than it is to try to get past an automated IT security algorithm to breach a network.
While you should have backend protections in place like email filtering and DNS protection, employee training is vital to keeping your company protected from a cyberattack that originates via phishing or a phishing hybrid via text or voice.
Training employees in cybersecurity can reduce company risk of falling victim to a cyberattack by 45-70%.
What are some of the core things that employees should know to avoid falling for phishing, vishing, or smishing?
Use the SLAM Method on All Unexpected/Suspicious Emails
SLAM is an acronym that helps people remember the areas of a message to check to detect phishing. These are the Sender, Links, Attachments, and Message body.
- Sender: Examine the sender’s email address thoroughly and do a Google search on unknown addresses, as this often brings up scam email domains.
- Links: Hover over links without clicking on them to reveal the true URL.
- Attachments: Never open file attachments that look suspicious and always have attachments scanned first by an anti-malware program
- Message: Look for any small grammar or spelling errors, and know these will often be easy to miss
Be Aware of Phishing in Other Forms
Don’t assume phishing only comes via email. Employees now need to scrutinize text messages just as closely as they do emails. Don’t assume that because someone has your mobile number that the message is legitimate.
Remember, your best defense against a strange and threatening phone call is to hang up. The IRS is not going to call and ask for a credit card number, and Microsoft and Apple never make unsolicited phone calls to users about “problems” with their systems.
Get Help Putting Comprehensive Employee Training In Place
Attain Technology can help your business with a comprehensive and engaging employee security awareness training program that will decrease your risk of a breach.
Schedule a construction technology audit today!