What are Phishing, Smishing, and Vishing Scams?
Whether you run a brick-and-mortar store or an eCommerce website, there are many malicious tactics that you should be aware of so you can protect your business and your customers.
But as scams are growing more difficult to detect, how can you spot the signs of a cyberattack?
In this Bionic guide, we break down three common methods used to gain personal information from businesses: phishing, smishing, and vishing scams. Find out what they are and how to prevent your company from falling victim to them.
What’s the difference between phishing, smishing, and vishing?
Before we dive into the details, it’s essential to understand the key difference between these three types of fraud attacks. All three scams are designed to steal confidential information from businesses, but the method of communication that scammers use to contact their victims is what sets them apart:
- Phishing – Email
- Smishing – Text message
- Vishing – Phone, voicemail, or Voice over Internet Protocol (VoIP)
By using the above channels of communication, scammers impersonate reputable sources – like banks and insurance providers, HM Revenue & Customs, and Royal Mail – to exploit a business’s trust and get them to share private details.
What is phishing?
Phishing is an internet security scam that uses an email to encourage victims to share their personal information. Phishing emails are designed to appear as though they've been sent from a trusted company. As scammers become increasingly skilled at impersonating well-known sources, it can be tough to identify phishing emails – or even be suspicious of them as they can look uncannily like the real thing.
Within a phishing email, scammers often include a fraudulent link that directs the victim to a fake website that appears to be legitimate. It will then pressure them to enter their private information, which scammers will be able to gather and use. This information includes financial details, usernames, and passwords.
It can be difficult to spot fake links as fraudsters are getting better at creating URLs which appear to be genuine – however, the best way to tell is to exit the email and search for the company’s website that they’re claiming to represent in your search engine. Then, you can compare whether there are any differences in the URLs.
Here are some examples of phishing scams:
- A request to reset your password for a website
- An email with an attachment, like a receipt or invoice, which installs dangerous software onto your device
- An urgent alert that your account details must be confirmed through a fake website
What is spear phishing?
Some phishing attacks have evolved to become extremely targeted and these are known as spear phishing scams.
Spear phishing scams are much more personal to individual victims compared to a standard phishing attack. For example, they use compelling details and target an individual with hyper-focused information that is more likely to be relevant to the victim. This might include sensitive financial details or private account information.
An example of a common spear phishing scam is an email supposedly from the CEO of a business that’s sent to their employees and requests that money is transferred to the ‘CEO's’ bank account.
How to spot a phishing attack
Phishing attacks among the most common fraudulent scams, so spotting the signs and knowing when your business is at risk is essential. Here are some signs to look out for to help you identify an attack:
- An unfamiliar email address – The biggest red flag that should warn businesses of a phishing email is who the sender of the email is. If it has come from someone you don’t know and the address itself looks peculiar, do not reply or take action to the contents of the email. Spear phishing emails that impersonate members of staff within your organisation can be easy to spot as you can quickly review the sender’s email address to check whether it’s different to your standard business email address.
- Unusual language – One of the hardest things for scammers to replicate is a tone of voice, particularly if they’re posing as someone you know. An unusual greeting, phrasing, or sentence structure is a huge clue that an email could be malicious.
- Grammar mistakes – Phishing emails also tend to include misspelt words and grammatical errors. It’s easy to overlook one mistake, but an email full of mistakes means that it’s probably a scam.
- An urgent action – An email that pressures you to take immediate action for something is another crucial warning sign of a phishing attempt.
What is smishing?
Smishing, or ‘SMS phishing’, is similar to phishing; however, it uses text messages to trick victims into giving up their private or financial information. They can come in many forms, but they all have one thing in common: they try to get you to click on a fraudulent link or download an attachment that contains malware – malicious software that can cause damage to electronic services, networks, and devices. Find out more in our guide to ransomware attacks.
Once the malware infects a device, it can steal valuable details such as passwords and credit card numbers.
As with various methods of fraud, smishing uses a sense of urgency to lure victims into taking action. For example, a smishing text message could claim that you have made a large payment from your business bank card and that you must click a URL to resolve the issue as soon as possible. In reality, the URL could automatically download malware onto your device or direct you to a fraudulent website and encourage you to submit your private details.
How to spot a smishing attack
Smishing attacks share a few characteristics of phishing scams. If you receive a text that you suspect could have malicious intent, check for the below signs of a smishing scam:
- A sense of urgency – Often, scammers will urge you to take action straight away by clicking on a link or calling a phone number. They may also use all capital letters to grab your attention and display importance.
- Include a link to a website – Like phishing emails, smishing texts may also have a link that tries to take you to a fake website. Sometimes scammers can forge highly realistic-looking links that look legitimate.
- The sender’s phone number – Many large companies, like retailers and service providers, tend to send texts from short-code numbers that are five digits long. Texts from standard 11-digit numbers could be more likely to be a smishing scam.
What is vishing?
Vishing is a form of phishing that uses the phone as the medium for scamming. It's also known as voice phishing or telephone fraud. Scammers make telephone calls, commonly with a pre-recorded message or VoIP technology, and impersonate trusted businesses or sources to extract sensitive data from unsuspecting victims.
Vishing scams can come in many forms, but they tend to play out in a similar way: victims are alerted to an urgent situation and then they are asked to disclose their personal details to resolve the problem.
For example, you may receive an unsolicited call from someone claiming to be from your business banking provider who asks you to verify your account information over the phone. They may even say they're calling because there was suspicious activity on your account and ask for personal information like passwords or PIN numbers so they can ‘help’ you resolve it. Banks will never call you out of the blue and ask for this information.
How to spot a vishing attack
Popular vishing attacks are when a scammer poses as:
- A government department – Tax requests from someone claiming to be a representative of HM Revenue & Customs are one of the most recurring vishing scams.
- A bank – Many scammers pose as banking institutes as it can be easier to access financial information.
Hackers will take measures to ensure their own identity remains unknown – however, these tactics can be easy to spot. The signs to be vigilant of are:
- A fake caller ID
- Robotic or synthesised speech
- Automated messages that play on a loop
To learn more about voice phishing attacks, take a look at our report on the most popular vishing scams in the UK.
How to prevent phishing, smishing, and vishing scams
The best way to prevent smishing, phishing and vishing scams is to be aware of how they work so you can reduce the chances of your business falling victim to them.
Scammers may also be more likely to attack a business that has previously fallen for a phishing scam, so being able to spot them early on can reduce the chances of your business being targeted again.
Here are some tips for how to prevent them:
- Be wary of unexpected messages and calls – If you or one of your employees receive an unexpected email, text message, or phone call from an unknown source, it’s best to tread cautiously. Never reveal any company information and, if possible, don’t engage with them at all. Even if you answer a suspicious phone call, scammers may note that your business has interacted with them and could try to scam you more often.
- Use caution when clicking links – Never click on links contained within suspicious emails or texts. Instead, go directly to the website yourself by typing its address into your browser address bar. By doing this, you should be able to verify whether the message you received is legitimate or not.
- Never share confidential information with anyone unknown to your business – Even if your business receives a call or message from someone claiming to be from a reputable company, never give them any private details like account numbers or passwords. If it’s a company that you already do business with, hang up the call or do not respond to the message. Instead, get in touch with the company via their official website or number to verify whether the original communication you received was real.
What to do if your business is targeted by phishing, smishing, or vishing scams
As with any fraudulent activity or cyber attack, there are steps you should take if you’re concerned that your business has fallen victim.
Let your IT and finance departments know
If you or someone within your organisation suspects that they have been targeted by a phishing, smishing, or vishing scam, your IT and finance departments should be made aware straight away.
Scammers are very likely to try to access sensitive financial information, often through malware, so getting in touch with the relevant departments means they monitor any potential security breaches. Acting quickly can help to mitigate the effects of a possible attack.
Carry out security scans
Once you’ve let your IT team know about the attack, they should conduct an in-depth security scan across company devices and software to isolate what may have been infected.
If you’re a small business owner and don’t have a designated IT department, it’s advisable to run anti-virus software on potentially infected devices instead.
Change your passwords
Maintaining good password hygiene by regularly changing your internal passwords is strongly recommended, whether your business has been phished or smished.
However, in the event of a potential scam attack, immediately updating your login details is crucial. As well as doing this for the account you suspect may have been breached, changing the passwords of any important accounts across your business is beneficial.
This might include email addresses, social media accounts, bank accounts, and credit cards.
Report a breach to the relevant authority
Once you’ve completed the above steps to contain the attack within your business, report the scam to the National Cyber Security Centre (NCSC). The NCSC can investigate and remove scam websites to prevent them from targeting others, so making them aware of the incident can help to protect your business, and others, in the future.
As well as raising it to the NCSC, contact your business banking provider to inform them of any unusual financial activity.
Make your employees aware
Finally, it’s important to let your employees know what’s going on. Make sure they’re aware of any security changes and ask them to look out for any unusual activity that may result from scammers trying to access company information.
Fostering a company culture that’s clued up on phishing attacks is also one of the best preventative measures your business can take. Increasing awareness and training teams on how to spot these attacks can stop scams in their tracks before they have time to do damage.
For more information on how to keep your company safe, take a look at our complete guide to internet security for businesses.
What are push payment scams?
A push payment is when payment is requested by a supplier and paid for by a customer, for example, by a bank transfer or an invoice payment. A push payment scam is when a fraudster poses as a genuine payee and tricks someone into sending them money. This is usually done via a phishing email or a phone call.
One common form of push payment scam involves fraudsters posing as representatives from a bank. They tell victims their account has been compromised and urge them to transfer the money to a holding account, where it will be safe. Of course, this account belongs to the fraudsters and the money is often lost for good once it has been transferred.
Figures from UK Finance, the banking trade body, show that push payment fraud losses reached £485.2 million in 2022. Individual consumers are the biggest target for this type of scam, with average losses of £2,784. But business owners should also be vigilant as they are also sometimes targeted, with average losses coming in at £24,335. In one recent case, a business bank account was cleared of £1.6 million in just 20 minutes.
How to protect your business against push payment scams
There are several steps you can take to protect your business against push payment fraud, such as:
- Never give anyone your security details, such as your PIN or full banking password – at most, banks will ask for random characters from them.
- Never assume an email, text or phone call is authentic, these things are really easy to replicate.
- Never let yourself be rushed, a genuine organisation will never press you for information and will always be patient.
- Always follow your instincts – if something doesn’t feel right, there’s a good chance something is amiss.
- Always stay in control – don’t panic and make a decision you’ll regret, especially if you feel you’re being pressured into it.
Protect your business from scams today
Cyber scams and attacks are just some of the threats companies face today. With more and more businesses operating online, it’s never been more critical to have the right internet security in place to protect your private information — and your customers’.