Search
Close this search box.

Phishing, Smishing, and Other Social Engineering Hacks

Phishing Email Scam Ransomware Malware Cyber Security Technology

Social engineering is a form of manipulation and deception used by cybercriminals to obtain sensitive information from their target for malicious purposes. There are several types of social engineering, including phishing, spear phishing, smishing, vishing, watering hole attacks, and others. Through the use of common communication channels, such as email, text messages, phone calls, and websites, cybercriminals will set their bait. Nearly 50% of small and mid-size businesses fell victim to cyber attacks in 2023, and virtually the same percentage still feel ill-prepared to identify, respond to, and recover from a cyber attack. 

At GainSide, we believe the first step toward protecting yourself, your business, and your clients is to gain a better understanding of the threats around you. In this article, we will dig into some common social engineering tactics and quick tips you can implement right away to increase your cyber defenses. 

Phishing, smishing, and vishing – Oh my!

Phishing consistently ranks as a top cybersecurity threat, worldwide. The goal of a phishing scam is to collect sensitive information, such as user credentials or financial information, that can later be used to disrupt business operations, steal data, or otherwise negatively impact the business and/or individual. 

Although phishing is most often associated with email, cybercriminals have plenty of other tricks up their sleeves. A few techniques you should be familiar with include:

  • Smishing: social engineering attack using SMS / text messaging (e.g., text message that appears to be from your bank, IRS, or even the CEO or other leader within your organization) 
  • Vishing: social engineering attack using phone calls or voice-based attacks (e.g., phone call asking you to verify personal information)
  • Phishing: social engineering attack using email (e.g., email that appears to be from someone within your organization, financial institution, or even someone claiming to be a distant relative in another country asking you for some money to help them out of a tight spot)
  • Spear phishing: social engineering attack using email, coupled with targeted research and convincing personalization (e.g., an email that appears to be from someone you regularly communicate with – that the cybercriminal discovered through their research – asking for help)

In each of these scenarios, the outreach is intended to look like it came from a trusted source and crafted with a sense of urgency to entice immediate action. That action may be to reply with the requested information, or even to click on a link or attachment for next steps. 

According to the Anti-Phishing Working Group (APWG), there were nearly one million phishing attacks in Q1 2024, and 37.4% of those attacks were via direct message on social media platforms. APWG also found that vishing attacks are increasing every quarter, making them a growing cybersecurity risk point for businesses. Further, studies show that 91% of data breaches start with a spear phishing attack.

It’s clear that phishing and its social engineering cousins are a force to be reckoned with on the cybersecurity scene. The bad news is, the threats are relentless and seem to be increasing as the world becomes more digitized. The good news is, we understand what to look for and how to protect against these threats. 

Developing your social engineering eagle eyes

Adopting a zero trust approach to cybersecurity is a great step toward being more aware of your risk landscape and implementing strategies to increase protections. Beyond that, it’s important to educate yourself and your team on the latest social engineering tactics and what to watch out for in daily communications. 

  • Sender email address: Verify that the sender’s email address is legitimate. Bad actors will use spoof accounts that are similar to the legitimate email, but may have a character or letter off. They also may come from a different domain (e.g., Jeff@XYZ.com vs Jeff@XYY.com or Jeff@XYZ.co)
  • Sender name: Use caution when engaging with a message from an individual you may have some familiarity with, but don’t interact with regularly. For example, receiving an email that indicates it’s from a leader within your organization, but outside of your department. This is a tactic used to deceive the recipient through a sense of familiarity or perceived trust.
  • Unusual sense of urgency: If the message comes through with a high level of urgency, especially something unexpected, that may be a sign of a phishing attempt. A great example of this is when an entry-level employee receives an urgent message from the CEO to respond with specific information right away.
  • Spelling and grammar issues: If the message is written with numerous spelling errors, odd phrasing, or grammatical errors, the recipient should take a moment to pause before acting.
  • Links and attachments: Be sure to watch out for links or attachments from unknown senders. Inspect link URLs before clicking on them, or type the known URL into your browser directly instead of clicking on the embedded link. Often, bad actors will include infected links or attachments with the hope of tricking the recipient into opening them and unknowingly installing a virus.
  • Fake notifications: Smishing messages may appear to be from a legitimate source, such as a package delivery service, with an urgent message about their inability to deliver your package. The message may ask you to click on a link or call a number back to verify your information. Never respond to these messages. If you are expecting a package, reach out to that provider directly.
  • Requests for sensitive information via SMS: Your bank will never ask you for personal information, such as a password or bank account number, via text message. If you receive a request to share sensitive information, always view it with suspicion and do not divulge that information.
  • Call from an unknown number: While you may receive legitimate calls from an unknown number as a general rule in business, it’s important to not share sensitive information with the caller as they may be calling with poor intentions. 

Increasing cybersecurity protection with GainSide 

Awareness and healthy skepticism are essential to protect your business from cybercrime, but they are rarely enough. In fact, according to Axios, “Roughly a quarter of small-business owners (27%) said that they’re one disaster away from shutting down.” At GainSide, we provide advanced cybersecurity and IT support solutions adopted by Fortune 500 companies. Our multi-layered approach ensures comprehensive protection against evolving cyber threats, including phishing, smishing, and other social engineering tactics that you are likely facing on a regular basis (whether you realize it or not). 

GainSide’s cybersecurity expertise, exceptional service, and cost-effective solutions ensure your business thrives in a digital world that’s ever growing, always evolving, and increasingly dangerous. 

Ready to increase your cybersecurity defenses? Reach out to one of our experts for a consultation.

Share
white circle icon that says icon inside
white circle icon that says icon inside
white circle icon that says icon inside
Author
Share
white circle icon that says icon inside
white circle icon that says icon inside
white circle icon that says icon inside

Subscribe to our newsletter