This e-mail contains some useful Vishing, and SmShing, information to help you stay safe. (No, that isn’t a typo – this is about Vishing NOT phishing this time!) If you have any questions, please e-mail wsbnit@cornell.edu.
What is Social Engineering? What is Vishing??
Social engineering is the art of gaining access to buildings, systems, or data by exploiting human psychology.
A hacker could spend hours trying to gain access to data by finding a system computer/network flaw, but it’s much easier and faster to contact an employee, pose as an authority figure or company representative, and get that employee to provide their account information or password.
And how do these social engineers even find out where you work? Hackers take advantage of sources like LinkedIn, social media accounts, and company websites to learn all about you, and then call or send a phishing campaign to extract information, like financial and personal data.
Vishing, short for “voice phishing,” is just one of the ways social engineers do this. Typically, Vishers will call you from a spoofed number and pose as someone important, like an official from your bank, utility or insurance company. From there, it’s a race to see how much personal info they can get out of you, like account details, passwords, and more.
- Watch this expert social engineer gather a journalist’s personal data in minutes:
https://www.youtube.com/watch?v=lc7scxvKQOo (2:29 minutes)
SmShing works the same way as phishing and vishing, only over SMS text messages. Companies love to reach out to customers through automated texts, which means hackers love them, too! You may receive a text purporting to be from your internet provider with a link to an announcement soliciting more information. Like phishing emails, links in smishing attempts can be malicious and another way to access your personal data.
How to Avoid Vishing/SmShing Attacks
- Slow down, think before you act.
It’s human nature to trust the individuals that you interact with. It goes against our natural instincts to stop and think “my caller ID says this is my bank, the caller knows details about me and says they’re from my bank…maybe this isn’t my bank?” However, that’s precisely what you should do. Social engineers may have access to a wealth of information, but so do you. - End the call and verify.
If you’re in doubt about the legitimacy of a call, hang up and verify. Never use the contact info given to you in the call to call them back. Look up the phone number of the organization you thought you were talking to (via a bill or their official website) and call them directly.Please ALWAYS keep in mind that they may already know some personal information about you and your account, do NOT trust this as confirmation that they are legitimate.
- If it’s a work-related account, hang up and then go ask for assistance in verifying the legitimacy of the call. Talk with your Executive Director, finance person and/or WSBN IT staff.
- Never give out personal details over the phone to unverified contacts. Vishers are typically looking for:
- Account numbers
- Pin numbers
- Passwords
- Addresses
- Phone numbers
- Personally identifiable information
Think about the security questions you have to answer to reset a password… favorite food, dog’s name, etc. This can all come up in a “friendly chit chat”.
- As with potential phishing e-mails, do not click on links in unverified SMS messages.
- If the e-mail/call/sms is related to a personal account, report it to the FTC: https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams#recognize
https://www.consumer.ftc.gov/media/video-0054-how-file-complaint - If the e-mail/call/sms is related to a work account, report it to your Executive Director and WSBN IT staff (wsbnit@cornell.edu).
The most important thing to remember is that social engineers will use information about you to gain your trust.
You should always be suspicious of unsolicited emails, texts, phone calls, and even physical mail.
Vishing Education Videos
- LinkedIn Learning course “Defeat Social Engineering” (1 hour)
https://www.linkedin.com/learning/security-awareness-social-engineering/defeat-social-engineers?u=76816458- If you complete this course, don’t forget to forward the confirmation of completion to your supervisor!
- What is social engineering?
https://www.youtube.com/watch?time_continue=12&v=5ZqNX6YeH6c&feature=emb_logo (2 minutes)
https://www.youtube.com/watch?v=N2GP5MId0js (3 minutes) - FCC Consumer Tips to Avoid Scam Robocalls and Spoofing
https://www.youtube.com/watch?v=j8m-NDEWiBQ&feature=youtu.be (1 minute)
https://www.youtube.com/watch?v=-HbD2OsECvI (2 minutes) - CU Learn course “Certified Ethical Hacker – CEHV10: Social Engineering” (25 minutes)
https://cornell.sabacloud.com/Saba/Web_spf/NA1PRD0089/app/shared;spf-url=common%2Fleclassdetail%2Fregdw000000000293601- If you complete this course, don’t forget to forward the confirmation of completion to your supervisor!
- Vishing call examples: https://www.youtube.com/watch?v=MIgSM-7miVM (3 minutes), https://www.youtube.com/watch?v=IyzP1PIch8Y (3 minutes)
- Phishing, SmShing, and Vishing, Oh My! The Golden Path of Success for Hackers (1 hour)
If you have the time, I highly recommend watching this one hour presentation by Chris Hadnagy – a Key Note Speaker at Triangle InfoSeCon 2016. Chris starts his presentation by talking about when he, a Social Engineering Expert, accidently clicked on a fictitious Amazon link. Chris speaks about how easy it is to fall for a scam, statistics of various social engineering attacks; he even demonstrates actual phone calls of people who fell for Vishing attacks.
https://www.youtube.com/watch?v=ify0q6rLxsM&t=1158s