Phishing, vishing, smishing and beyond

If you’re not taking cybersecurity seriously, you could well be the target of criminal activity. Bill Bennett walks you through the threats and your best.

Phishing’ has been around since the dawn of the Internet, yet it remains New Zealand’s most reported cybercrime. It’s a way of getting past cyber defences by tricking people into handing over passwords or other key information. When criminals get this information, they use it to steal money, install ransomware or access private data.

Cert NZ, the government’s Computer Emergency Response Team, says that in addition to passwords, criminals may be looking for your credit card or online banking details, or personal information and documents they can use to impersonate you – such as your drivers’ licence or passport. PayPal accounts are another favourite.

It is not new. As I said, phishing is as old as the Internet. Yet people still fall victim.

Kordia, a New Zealand-based technology company that helps corporations and government organisations with cybersecurity, says that phishing made up more than one third (37 percent) of attacks on businesses in the past year. It says almost one in four businesses that were attacked saw commercially sensitive data or intellectual property accessed or stolen.

You may come across one of the variations on the phishing theme. Common or garden phishing uses emails and links to websites where the main damage is done. You may get an official looking email message linking you to an equally plausible official-looking site where you are asked to enter bank account details, passwords or other information. Some emails include a form where you are asked to fill in data and send it back.

‘Smishing’ is much the same thing, but instead of email it uses SMS text messaging or one of the other popular messaging systems like WhatsApp, WeChat or Facebook Messenger.

Like phishing, the message can look like an official communication. It may include a link to a website where the criminals hope you’ll hand over data. The scammer might pretend they are from your bank or another organisation and tell you something has happened that requires you to log in and change your password. At that point they’ll be able to access your real account.

‘Vishing’ uses voice calls and voicemail to get at your sensitive data. It can be more complicated though. At some point you might, for example, be asked to enter a password or pin code using your phone’s keypad.

Phishing, smishing and vishing campaigns target large numbers of people at the same time. Often the campaigns are random, using mailing lists or other easily obtainable sources of names and contact details. The criminals know that only a tiny number of victims pay up, so the more they contact, the more effective the campaign.   

‘Spear-phishing’ campaigns are carefully targeted. The criminals identify their targets, then get information to craft a more personalised message. In large organisations they might look like internal messages coming from another department or even from a named person within the organisation. Again, they’ll be looking for confidential company information which can be used as the basis for a more serious cybercrime.

‘Whaling’ is even more specific. It’s when the criminals target a specific manager or executive in a large company or a business owner – the big fish. Here the thinking is that senior people have more access to the most valuable information and are worth making a bigger effort.

Another targeted version of phishing, with business owners in the gunsight, is called the business email compromise or BEC. This is when criminals gain access to an email inbox. They may have got the password in an early phishing raid. The criminals watch the incoming emails looking for when you receive a legitimate invoice, usually they are looking for a larger invoice. They then modify the invoice asking for the payment to be made to their bank account instead of the legitimate one.

Your best defences
Enforcing strong passwords, multifactor authentication and educating everyone in the business about the risks are the best defence against phishing and data theft.

If you use Apple devices, the password manager will tell you when your passwords are not strong enough or if you have used one more than once. It will also generate strong passwords for you.

If you don’t use Apple kit or if you want more, it may pay to use a third-party password manager. There are many to choose from, but avoid LastPass which has been repeatedly breached by hackers over the years. Some are free and many come with other security features. Bitwarden is an excellent choice for non-technical users. It’s easy to understand and there is a free version. Although the paid versions are not expensive, a personal account costs US$10 a year.

Multifactor (MFA) or two-factor authentication (2FA) is a way of checking if the person using a password to access online information is genuine. Two-factor means making one extra check, multi-factor authentication is when there is more than one extra check.

Using more factors adds layers of security but requires more effort.

Popular websites like Gmail, Apple iCloud and Microsoft cloud use MFA. There are different approaches, the simplest uses SMS text messages. When you attempt to access an MFA-protected site a short code is sent to your phone. You have to enter this as well as the password. It’s straightforward and painless.

However, SMS-message 2FA isn’t foolproof. Determined hackers can intercept SMS messages but it will stop 99 percent of criminal attacks.

A better approach uses an authenticator app on your phone. Google Authenticator and Authy are the best-known versions on the market. The app gives you a six-digit code to type in, along with your password. Each code lasts for 30 seconds. If you miss one, another one appears immediately.

Some devices have fingerprint readers or built-in facial recognition they can use for multi-factor authentication. This is the most convenient and it can be worth upgrading hardware to get one of these biometric readers.

Start with education
Remember, none of the above approaches will help if you work with people who aren’t aware of cybersecurity. If you work with others, consider some basic education on the subject.

They need to know why cybersecurity matters and what measures you’ve put in place to keep the business safe.

You should make certain they understand their responsibilities and what you expect of them. Consider sending them on an external cybersecurity training course. The government-supported Digital Boost programme is an excellent place to start. 

BILL BENNETT is an Auckland-based business IT writer and commentator.  Email [email protected]