What are phishing, vishing and smishing scams?

Social engineering is a technique used by criminals and cyber-crooks to trick users into revealing confidential information. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity.

Cyber criminals want your information, so they can commit identify theft or fraud – which can be avoidable if you take the right precautions. The best defense is to be aware and know what to do if you suspect you are a target.

There are three main types of social engineering attacks: phishing (email), vishing (phone), and smishing (text). Here’s some great advice on how to spot them, what to do if you receive one, and who to call if you think you’ve fallen victim to an attack.

What is phishing?

Phishing emails are the primary attack method in the cyber criminal’s playbook. These attacks try to trick you into taking an action, such as clicking a link, opening an attachment or responding with sensitive information. We’re all a target, both at work and at home, because our information – and our devices – are worth good money to cyber criminals.

How to spot phishing emails

These are the most common identifiers associated with phishing attempts. Use these red flags to review all external email:

• Lack of personalization. Did the email use a generic salutation such as ‘Dear Customer’ or nothing at all? Service providers usually know who you are and typically personalize emails with your name and the last few digits of your account number.
• Bad spelling and grammar. Legitimate businesses go out of their way to proofread their email. If an email has lots of spelling mistakes or improperly worded sentences, it’s likely a phish.
• Strange website links. If you hover your mouse over a website link, you will see the actual destination of the website you’re about to visit (on some mobile devices you can accomplish the same thing by holding your finger on the link for a second or two). If that location differs from the way the link is written in the email, it’s a good indication of an attack.
• Suspicious attachments.If you don’t know the sender, or receive something from a friend that looks suspicious, don’t open the attachment. If it is from someone you know, you can always pick up the phone and give them a quick call to make sure they actually sent the email.
• Requests for sensitive information. Be suspicious of requests for sensitive information, such as user IDs and passwords, financial account numbers, health information or social security numbers.
• Unfamiliar sender. The sender is someone you do not know, and the email address is one you’ve never seen before or looks different than it should.
• Authoritative-sounding sender. A person representing a company or entity sends an email asking for information they should already have.
• Blank or “undisclosed” recipients. Sometimes phishing emails are sent to a lot of people. Other times you see something like “undisclosed recipient list” in the “To:” field. Both are potential red flags.
• Urgent call to action. Messages of an urgent nature, or requesting an immediate call to action, are a common method used to rush people into making mistakes and is another good indicator of phishing.

What to do if you’re a victim of phishing

If you fall victim to a phishing attack, a swift response is pivotal. Change your password for all online accounts including your email, banking, retail, and any others. After your account access is resecured, contact your credit card company to find out if one or more of your cards should be replaced. You should also notify one of the three major credit bureaus to place a fraud alert or freeze on your account. It also can’t hurt to update your antivirus software and keep a watchful eye on all your accounts to monitor any suspicious activity over the following days.¹

What is vishing?

Vishing is a telephone-based form of social engineering where someone calls you directly and pretends to be from a legitimate company or service. Once on the line, they ask questions, try to get you to do something, or direct you to a website to obtain personal information, such as social security or financial account numbers.

How to identify a vishing scam

• Check the company. Is the phone call from a legitimate company? If you can, look up the phone number or company name to see if it is legitimate. Always be extra cautious if it’s a company you’re not familiar with.
• Call them back using a number you have on file. If the caller says they are from a company you know or do business with, hang up and call them from a number you know. For example, if a caller says they are from your bank, call them back with the number on the back of your card.
• Watch out for requests for sensitive information. Be suspicious of requests for sensitive information, such as user IDs and passwords, financial account numbers or social security numbers.
• Be careful with websites. Be suspicious of requests to visit a website, particularly to fill out a form or download software.
• Protect your computer. If you are asked to access anything on your computer, beware! Do not download software, give the caller access to your computer, or modify systems files in any way.
• Hang up. When in doubt, hang up the phone and do not accept future calls from the number.

What to do if you think you are a victim of a vishing scam

If you accidentally provided your financial information to a scammer over the phone, it is crucial that you take immediate steps to protect yourself. Call your bank and alert them to the possibility of fraudulent charges – there is a chance some have already been made that need to be canceled. You’ll also probably need to cancel your cards and get new ones, and you may even need to change your account numbers. You should also put a fraud alert or freeze on your credit with one of the three major credit bureaus. In the fallout from the attack, think about red flags you can learn from and recognize in future scam attempts.²

What is smishing?

Smishing is a form of social engineering that exploits SMS, or text, messages. Text messages can contain links to such things as webpages, email addresses or phone numbers that when clicked may automatically open a browser window or email message or dial a number.

This ruse tends to be effective because while most of us have learned to recognize phishing emails, we are still conditioned to trust text messages. Also, there’s no easy way for us to preview links in a text message like we can if we are viewing an email on a PC.

What to do if you suspect a smishing text message

• Validate any suspicious texts. If you get a text allegedly from a company or government agency, check your bill for contact information or search the company or agency's official website. Call or email them separately to confirm whether you received a legitimate text. A simple web search can thwart a scammer.
• Don’t engage. Never click links, reply to text messages or call numbers you don't recognize. Do not respond, even if the message requests that you "text STOP" to end messages.
• Delete it. If you don’t know who it’s from and it looks suspicious, simply delete the text.
• Update your device. Make sure your smart device OS and security apps are updated to the latest version.
• Add extra security. Consider installing anti-malware software on your device for added security.

What to do if you think you are a victim of a smishing scam

If you believe you have fallen victim to a smishing scam, change your account passwords and PINs and contact your bank to put them on watch for or cancel any fraudulent charges. You may also want to put a fraud alert or freeze on your credit with one of the three major credit bureaus.³ You should also report the attack to a law enforcement agency such as the FTC.⁴

How can you learn more?

Phishing, vishing, and smishing are all examples of the constantly evolving nature of criminal activity as the world moves more and more of itself into digital space. To stay on top of these threats, it’s about these threats and the resources available to you in facing them, check out the Nationwide Business Solutions Center.

[1] https://us.norton.com/internetsecurity-online-scams-what-to-do-when-you-fall-for-an-email-scam.html, Accessed September 2021.
[2] https://us.norton.com/internetsecurity-online-scams-vishing.html, Accessed September 2021.
[3] https://www.kaspersky.com/resource-center/threats/what-is-smishing-and-how-to-defend-against-it, Accessed September 2021.
[4] https://www.fcc.gov/avoid-temptation-smishing-scams, Accessed September 2021.