Phishing, SMiShing & Vishing
Phishing occurs when an identity criminal impersonates a legitimate organization or company via e-mail, fax and/or websites in an attempt to deceive recipients into providing confidential information. This is called “baiting." These messages are extremely well written and very difficult to differentiate from those of the companies they are falsely representing.
How do they each work?
A phishing strategy begins with an identity criminal sending a number of e-mails falsely representing an organization; this number could be in the thousands or millions, depending on the sophistication of the criminal. More times than not, the manner of the e-mail is urgent, making recipients believe there is something “wrong” with their account. They are encouraged to take action immediately, which typically includes opening an attachment or clicking on a hotlink to go to the so-called "company's" website to update, review or verify information related to their account.
Even though the link appears to be legitimate, recipients are directed to a fake website designed to almost mirror the legitimate site. When the victim logs in or inputs confidential information, it is going right to the criminals.
Financial gain is the phisher’s motivation. They mimic financial service companies, Internet service providers (ISPs) and online retailers. Even the IRS is targeted (typically during tax season) in the hopes of gaining Social Security numbers. Other organizations phishers have pretended to be include the Department of Justice and the Better Business Bureau.
The biggest phish are credit card numbers, online banking credentials and Social Security numbers. Types of information such as these will allow phishers to assume identities and/or fraudulently apply for credit, which gets them what they are ultimately after…money.
Vishing (phishing over the phone) and SMiShing (phishing via text messages) are recent phishing tactics that consumers and businesses need to know about. Same scams, different technology.
- Vishing relies on a victim to take action as the result of receiving a phone message or e-mail
- SMiShing looks for victims to visit a website or dial a particular telephone number, both of which are fake
What are the signs?
Although designed to be almost impossible to differentiate from authentic e-mails, telephone messages or text messages, these types of attacks have certain signs that can tip you off:
- SMiShing attacks may indicate the message came from a random number – 3000 – instead of showing an actual phone number
- You are vehemently encouraged to comply and often provided negative consequences if you do not respond
- You see differences with other e-mails, phone messages or texts from the same business
- The message claims you ordered something that you didn’t
- You are asked to click on a link (phishing & SMiShing) or call a phone number (vishing & SMiShing) to update/verify account information, cancel an order or re-activate an account
- Messages lack personalization that would indicate the sender knows something about your account (e.g. name, the last four digits of your account number, etc.
- Messages have spelling errors and/or bad grammar not consistent with a professional business
Actions to take if you receive a suspect e-mail, phone message or text
- Number One – Don’t respond!
- If you aren’t sure of the validity of the message, call the company to verify they really did send it or ask why they need your information. Use a phone number you know is correct (e.g., from a recent statement); Do NOT call the one in the e-mail, phone message or text message
- Once you report it, delete the message from your inbox
How can I protect myself AND my business?
- Knowledge is power. Know what to look for and what steps you need to take. It is extremely important to understand that NO financial institution, including Lease Corporation of America, will ever send you an e-mail asking you to verify or supply personal information, such as:
- User ID
- Social Security Number
- Card or Account Number
- Credit Card Security Code (CCV)
- Do not open e-mails from unknown addresses
- Do not…ever…send personal information via e-mail unless it is a source you can trust and there is some sort of encryption enabled
- Use caution when downloading software and opening e-mail attachments. If you think that your computer is infected, have it computer analyzed by a professional technician – signs of infection could include receiving a large number of "pop-ups", or if you become aware that you are being redirected to other websites