How much do you really know about phishing, smishing, and vishing?

According to a recent article issued by the FBI, we have reached the point that given enough time, motivation, and funding, a determined adversary will likely be able to penetrate any system connected to the Internet. While that may be true, with the right tools, processes, monitoring, and most importantly, awareness and training, I believe we can minimize the risk and make for a very hard target.

It never ceases to amaze me how credit unions will spend vast amounts of money on technology solutions in order to create a better security posture, but many times forget that it’s the old go-to, tried and true, social engineering threats against employees and members that are easiest for hackers to exploit.

Old Threats Made New Again

Phishing, smishing, and vishing are not new threats, as they’ve been around for many years, but it is the way that cyber attackers are adapting these old threats to conduct their attacks that have changed.

1. Phishing. Phishing is a form of attack where a hacker attempts to lure unsuspecting consumers or employees to click a malicious link in order to infect the system with a trojan or malware. Many times the malware is in the form of a key logger, which is capable of stealing anything the user types including corporate credentials, account information, or other sensitive passwords.

According to security firm RSA in their September 2014 report, these phishing attacks against credit unions have more than doubled and are highly clever in their ability to fool not only the user clicking the link but the corporate systems and controls designed to stop them.

Many phishing attacks are slowly moving away from email, as corporate email systems have gotten much better at blocking spam, and on to new social platforms such as Facebook, Twitter, and LinkedIn. Users of social networks have an uncanny amount of trust in posted links to articles and videos and will click without much hesitation. Credit unions without a robust Social Risk Management solution, to monitor and alert when executive or employee accounts are targeted, are at high risk of fraud via social phishing.

2. Smishing. Smishing, or SMS phishing, sends a text message to a mobile phone in an attempt to get its user to divulge personal information. Smishing is becoming more attractive and having higher success rates for attackers because consumers and employees are not as conditioned to receiving spam on their mobile phones and are more likely to believe the communication is legitimate.

Smishing, like phishing, continues to be a growing problem for credit unions.
The two most common types of smishing attacks are:

1. A person receives a text message that directs them to call a phone number to confirm personal or account information.
2. A person receives a text message that directs them to visit a website to confirm information, but is actually being infected with a malicious trojan or malware designed to steal information such as passwords.

3. Vishing. Vishing, or phone phishing, is the practice of using the telephone system to illegally obtain personal and financial information. Vishing exploits an individuals trust in telephone services, as the victim is often unaware that fraudsters can use methods like caller ID spoofing and other automated systems to commit this type of scam.

What can we do about it?

The most important step for credit unions in mitigating phishing, smishing, and vishing risks is building more awareness. Awareness and education needs to be consistently presented and available for members, employees, executive teams, and credit union board directors. There are many reasons that attackers continue to evolve their tactics, and one of the key factors is increased awareness among their intended victims.

Remember to remind members and employees of the following tips:

• Never open an attachment or click a link in an email or social network feed from someone you do not know. It most likely contains a trojan or other form of malware designed to steal your information.
• Never provide personal or financial information via email or over the phone. Credit unions and banks will never request you confirm this information through email, text message, or over the phone.
• Always know who you are dealing with online, especially when it comes to your personal information. Just because an email looks valid or a pre-recorded phone message says it is the bank doesn’t mean it is legitimate.
• Guard your privacy and limit the amount of personal information you share online. Professional attackers will find and use all available information, including social network profiles which often contain highly personal life details, against their victims.
• Check your bank and credit card statements regularly looking for suspicious transactions.

While the tactics and methods that fraudsters use continue to evolve and adapt, many of the core methods continue to revolve around basic phishing, smishing, and vishing tactics. In addition to implementing professional credit union cyber security tools, credit unions need to continue to build awareness and disseminate frequent educational security tips to keep evolving attack methods top-of-mind.

Got comments or questions? Did I miss something? Email me at rharbin@cudefender.com