"ishing"
Self-preservation is human nature, but some people are unethical while doing so. Some of these people try to take advantage of others while pretending to be someone they’re not in one of many methods that end in “ishing”. It’s important to be able to identify these tactics and know what to do when presented with them. Here are a few examples of different types of “ishing” and how to handle them.
Phishing (pronounced "fishing") - email
Phishing is the technique of pretending to be someone, or offer services someone wants, via email. There are many reasons threat actors use phishing but the initial goal is to gain information. The information they’re after could be passwords, credit cards, personally identifiable information, or any information they don’t have. They become successful when they get you to open an attachment and/or follow a link. Attachments can be in the form of malware, where they try to infect your computer to get information, or a link in a file where they continue the attack. Links can take you to page where it installs malware, or to a login page, where they gather credentials to continue their attack.
What to do when presented with a phishing email? Report it! Whether it be with a corporate solution for a business email account or simply marking it as spam for a personal account, reporting it can help prevent further phishing emails.
Vishing - "V" is for voice
Vishing is the technique of calling someone pretending to someone else. This technique uses a phone to initiate an attack, then moves to other technology. An example could be someone calling you saying they’re from IT and noticed a problem with your account. All they need is your username and password so they can log into fix the problem. Of course this person is not really from the IT department and they’re trying to get into your account to preform malicious activity. It’s important to know who is on the other end of the call and you can ask questions of the caller to try and verify their identity. An example of a few questions are, “I can’t find you in my contacts list, who is your supervisor?”, or “I’m really busy right now, is there a number I can call you back at?” – then verify the number is in the expected phone number range. Another technique would be to call the company back using a known good number. An example of that would be someone calling you from a credit card company and you calling the number on the back of the credit card or the number found on a credit card statement.
What to do when presented with a vishing call? Verify information until it seems right and don’t be afraid to verify information outside of the call.
SMSishing (pronounced "smish-ing" - text message
SMSishing is the technique of using a text message to pretend to be someone else. The overall techniques are very similar to that of phishing/vishing in that the person is asking for you to do something for them. An example could include someone pretending to be a supervisor and “I’m really busy and need some help to show appreciation to the people in the meeting I’m currently in so if you could just run to the store and pick up some gift cards and send pictures, including the security code on the back, it would be super helpful”. While it could be a supervisor, this could also be a threat actor trying to steal money from you by having you spend money on gift cards that they will use.
What to do when you receive a smish? Ignore it! Some cell phone providers and cellular service providers offer services to add a sender to a junk list, but that should be used with caution. Often these attacks come from spoofed phone numbers and there’s a chance you could be blocking a phone number that could be used legitimately in the future. By ignoring the text message, you don’t confirm your phone number and don’t run the risk of inadvertent consequences from blocking or interacting with the threat actor.