You’ve heard of phishing, but what about smishing, vishing, and whaling?

A business owner dealing with an SMS smishing attempt

Did you know that in just the last three months of 2023, over 1 million phishing attacks were reported?

This staggering number shows just how serious the threat of cyber attacks is for both individuals and businesses. While phishing is a well-known term, you may be less familiar with its sneaky cousins: smishing, vishing, and whaling.

These attacks all rely on tricking people and taking advantage of our trust in digital communication. As a business leader, it’s essential to understand how each of these threats works. By learning about these attack methods and putting the right defenses in place, you can greatly reduce the risk of your organization falling victim to these clever scams.

In this article, we’ll take a closer look at phishing, smishing, vishing, and whaling. We’ll share real-life examples and give you practical advice on how to protect your business from these dangerous threats. We’ll also talk about why it’s so important to create a culture of cybersecurity awareness in your company and how working with a reliable cybersecurity partner can help keep your defenses strong as threats continue to evolve.

Phishing

Phishing is a well-known type of cyber attack that involves tricking individuals into revealing sensitive information or clicking on malicious links. According to the FBI’s Internet Crime Report, phishing was the most common type of cyber crime in 2023, with 6x more cases recorded than any other type of cybercrime. The Anti-Phishing Working Group (APWG) reported that in just the 4th quarter of 2023 there were over 1 million phishing attacks recorded.

Phishing attacks can have severe consequences for businesses, with the average cost of a data breach caused by a phishing attack being $4.65 million. Small businesses are particularly vulnerable, with 60% of small companies going out of business within six months of a cyber attack.

What is smishing?

Smishing is a type of phishing attack that uses SMS (text) messages to trick victims into revealing sensitive information or clicking on malicious links. Attackers often pose as legitimate organizations, such as banks or government agencies, to lend credibility to their messages.

How smishing differs from phishing

While phishing primarily relies on email, smishing uses text messages to deliver malicious content. People tend to be more trusting of text messages, making them more susceptible to smishing attacks.

Examples of smishing attacks

Common examples of smishing include messages claiming suspicious activity on a bank account, package delivery notifications, and fake prize notifications. These messages often create a sense of urgency to prompt the recipient to take immediate action.

Tips for preventing smishing

To prevent smishing attacks, be cautious of unsolicited text messages, especially those containing links or requesting personal information. Not sure if it’s real? Verify the legitimacy of the message by contacting the organization directly using a trusted phone number or website.

What is vishing?

Vishing, or voice phishing, is a type of phishing attack that uses phone calls to manipulate victims into revealing sensitive information or performing actions that compromise security. Attackers may pose as representatives from legitimate organizations, such as tech support or government agencies.

How vishing differs from phishing

Vishing relies on voice communication, either through phone calls or voice messages, to deceive victims. The personal nature of voice communication can make vishing more convincing than traditional phishing attacks.

Examples of vishing attacks

If you want an example of how clever, sophisticated, and dangerous vishing attacks can be, this article by The Cut magazine’s financial advice columnist goes into great detail on the scam that cost her $50,000. An excerpt from the article:

Krista transferred the call to a man who identified himself as Calvin Mitchell. He said he was an investigator with the FTC, gave me his badge number, and had me write down his direct phone line in case I needed to contact him again. He also told me our call was being recorded. He asked me to verify the spelling of my name. Then he read me the last four digits of my Social Security number, my home address, and my date of birth to confirm that they were correct. The fact that he had my Social Security number threw me. I was getting nervous.

“I’m glad we’re speaking,” said Calvin. “Your personal information is linked to a case that we’ve been working on for a while now, and it’s quite serious.”

Tips for preventing vishing

To prevent falling victim to vishing, be cautious of unsolicited phone calls, especially those requesting sensitive information or urgent action. Verify the caller’s identity by hanging up and calling the organization directly using a trusted phone number.

What is whaling?

Whaling is a highly targeted form of phishing that focuses on high-profile individuals, such as C-level executives, politicians, or celebrities. These attacks are typically more sophisticated and personalized than traditional phishing attempts. You might think this doesn’t apply to you, but the most common form of whaling specifically targets small businesses

How whaling differs from phishing

Whaling targets specific, high-value individuals rather than casting a wide net. Attackers often invest significant time and effort in crafting convincing messages tailored to the target’s role, interests, and contacts.

Examples of whaling attacks

You might think this doesn’t apply to you, but the most common form of whaling specifically targets small businesses.In fact it’s common enough that there’s a good chance some version of this scam has happened to your business. Here’s how it works:

  1. Attackers access public lists of your staff on sites like LinkedIn, ZoomInfo, Clearbit, and others to get a list of targeted emails.
  2. They use these same directories, as well as public records of phone numbers, to build a profile of an executive, usually the CEO or CFO.
  3. They blast emails, text messages, and sometimes even voicemails to staff, impersonating their executive, with an urgent request to take some financial action. Typically this is a request to buy gift cards and send the card info to a third party, but other scams have involved cryptocurrency or even high-value merchandise. The message always reassures the targeted staff that “they will be reimbursed”, to overcome objections.

Tips for preventing whaling

To prevent whaling attacks, high-profile individuals should be particularly cautious of unsolicited emails, even if they appear to come from trusted sources. Implementing multi-factor authentication and verifying requests through secure channels can help thwart whaling attempts.

Protecting Your Business

Protecting your business from phishing and its variations requires a multi-layered approach to security. This includes implementing technical solutions like email filters, firewalls, and endpoint protection, as well as fostering a culture of cybersecurity awareness among employees.

Partnering with a reliable cybersecurity provider can help businesses stay ahead of evolving threats and ensure compliance with relevant regulations. A comprehensive incident response plan is also essential for minimizing the impact of a successful attack and maintaining business continuity.

The Importance of Cybersecurity Awareness

All of these “-ing” attacks target end users – your staff. Technical tools can help, but your best defense against these types of attacks is a trained and cyber-aware workforce. If you are looking to build these skills in your team, our comprehensive guide on how to select a cybersecurity awareness training program is a must-read.

Wrapping Up

Phishing, smishing, vishing, and whaling are serious threats to businesses of all sizes. Attackers are constantly coming up with new and clever ways to trick people into sharing sensitive information or putting security at risk. By understanding how each of these attack methods works and putting multiple layers of defense in place, organizations can make it much harder for these threats to succeed.

However, it’s important to remember that technology alone isn’t enough. Training and educating employees about cybersecurity is key to preventing successful attacks. When staff members know what to look for and how to report suspicious messages or requests, they become a powerful first line of defense against these “-ing” attacks, and new attacks in the future.

Working with a trusted cybersecurity partner can also be a huge help in staying ahead of new threats and making sure your business follows all the relevant regulations. Having a solid plan in place for dealing with an attack, created with the help of experienced professionals, can limit the damage and help keep your business running smoothly even in the face of challenges.

The best-protected companies pair knowledgeable and cyber-aware staff with best-in-class technical solutions like Managed Endpoint Detection and Response (MDR) and trusted third-party cybersecurity partners to ensure they’re protected from current and future threats. If you’re concerned about the risk of “-ing” attacks like the ones we’ve described, sign up for a FREE 30-day trial of CYDEF from Arch Access. It protects against zero-day attacks, ransomware, and more, and it comes with an expert cybersecurity team to proactively address any issues that arise. Sign up today or get in touch with us to learn more.