Beware SMISHing & VISHing!

It seems that “smart” phones are too “smart” for routine use — because cyber criminals are using them to outsmart many consumers in order to quietly steal money from unwitting victims. This article describes two such attack venues in the hope that you will become aware of and prevent them from acting against you.

What is a SMISHing attack?

“Smishing is a form of phishing that uses mobile phones as the attack platform. The criminal executes the attack with an intent to gather personal information, including social insurance and/or credit card numbers. Smishing is implemented through text messages or SMS” (Re: TrendMicro)

Smishing example

You receive a text message, or several text messages, telling you to click a link to provide the verification code to complete your login to a personal online account. However, you haven't attempted to login to the named account (examples: DMV, banks, hospital, insurance, Uber, content streaming service, etc.). This strongly indicates that someone—a criminal or criminal enterprise—is trying to login to your account, instead.

How can this happen?

Somehow, your user credentials for the account (username, password) have been compromised due to a data breach of the organization’s network.

What is a VISHing (Voice Activation) Scam?

Have you recently received phone calls where the caller claims he or she represents “The Voice Activation [Department or Group at Google or another organization]? This is a sophisticated AI-voice scam where criminals use artificial intelligence to replicate human voices, often impersonating trusted individuals or organizations, to deceive victims into revealing sensitive information or sending money.

Vishing

Phone scams, also known as voice phishing or “VISHing”, are schemes where fraudsters impersonate trusted entities to deceive victims. With advancements in technology, scammers now use deepfake voice phishing and AI voice cloning to sound legitimate.

How It Works

AI-voice scams work by using artificial intelligence to replicate voices. With deep learning algorithms, it’s easy to impersonate someone’s voice, making fraudulent calls appear genuine. Scammers exploit this technology to trick individuals into disclosing sensitive information or sending money.

While traditional phishing typically involves fraudulent emails or text messages, AI-voice scams employ voice technology to mimic real people. Unlike other scams, AI-voice scams can sound extremely convincing, making it harder to discern the fraudulent nature of the call.

What Happens When You Respond to an AI Voice Scam?

The risks of falling victim to AI-voice scams are significant. You could suffer financial loss, identity theft, or compromise sensitive personal information such as passwords, bank account details, and social security numbers. Additionally, your reputation and trust in legitimate institutions may be damaged.

(TrendMicro article on VISHing)

What To Do?

SMISHing:

Unless you have attempted to login to the named account, Do Not Click the Link in a Text Message.
If the unexpected text message involves your financial institution, check your statement for unusual/unexpected activity.
Be prepared to change your password for that account (consider using a good passphrase).
Do NOT use antivirus or security freeware!
Whatever security/antivirus software you use, pay the subscription fee for the complete toolset and keep it up-to-date.
Keep your device operating system up-to-date.

VISHing:

If Caller ID indicates “SCAM Likely” – Believe It!
Hang up immediately without providing any information.
Report the incident to relevant authorities or your service provider.
Warn friends and family about the scam to prevent others from falling victim.
Consider blocking the caller’s number to avoid future contact.

What about websites that use Multi-Factor, or Two-Factor, Authentication?

Navy Federal Credit Union

NFCU uses Two-Factor Authentication. However, the member must choose whether to have the verification code sent either via Text or Email message, and that message is only sent when the member clicks the Send button.

US NCVA

Our website uses Multi-Factor Authentication. However, the verification code to complete your login can only be sent via email to the email account you specified when you setup your website Profile.

Our website will never send SMS, or text, messages to anyone about anything.

Also, no personally financial information is stored on the database for our website. When you login and click the link to pay your dues online, you are sent to PayPal; whether you have and use a personal PayPal account or pay using your bank or credit card, those data are stored and managed by PayPal using extremely strong encryption and an extremely expensive SSL certificate.