Beyond Phishing: Smishing, Vishing and Other Emerging Cybersecurity Threats
Jan 21, '20 by Joerg Schneider-Simon
Cybersecurity Ventures predicts that cybercrime will cost the world $6 trillion annually by 2021, making cybercrime more profitable than the global trade in all major illegal drugs combined.
Cybercriminals are turning to a multitude of new tactics to penetrate systems. Here are three of them—and steps that your business must take to protect against them.
Smishing is phishing with a pair of thumbs. Phishing, of course, is the criminal practice of sending emails that purport to come from trusted companies or colleagues in order to trick the recipients into revealing personal information, such as passwords and credit card numbers.
How Smishing Works
Smishing takes this technique and flips it from email to SMS messaging. Attackers send text messages that appear to come from trusted senders, such as banks and online retailers. These text messages contain links that trick recipients into visiting websites that download a Trojan horse, virus or other malware onto the victim’s mobile device.
A recent example of a smishing attack is the Argos text scam. Argos is one of the largest high street retailers in the United Kingdom, with 883 retail stores and nearly one billion online visitors annually. The Argos text scam targets customers who own an Argos Card, the retailer’s branded credit card. Scammers send customers a text message, telling them that they're owed a £180 refund. The message invites recipients to click on a link to visit a website where they leave their bank details. The scammers then use these bank details to empty the victim’s account.
Smishing could also be used to target SAP Fiori users for example, by way of legitimate-looking SAP-related links sent via SMS.
How to Protect Against Smishing Attacks
Encourage your staff to take the following precautions to protect themselves—and your company—against smishing attacks:
- Don’t click on any links in text messages
- Don’t reply to a suspicious text message or call the sender’s number
- If you doubt that a text message is from the company it claims to be from, phone the company directly using the phone number that the company provides on its website (not the phone number the text came from or a phone number found in the text message)
Vishing is the telephone equivalent of phishing. The word combines “voice” with “phishing.” Vishing often targets users of Voice over IP (VoIP) or services like Skype. Scammers, pretending to represent trusted companies, place phone calls and leave voicemail messages aimed to trick individuals into revealing personal information, such as bank details, credit card numbers, social insurance numbers, and usernames and passwords.
How Vishing Works
Scammers begin by spoofing their caller ID, so they appear to be calling from a local area code or a trusted organization. They call with an urgent, automated message that urges you to call back.
If you respond and call the number the scammers supply, an automated message prompts you to hand over personal information, such as your credit card details. If you don’t reply to the initial the call, the scammers leave another voicemail that follows the same pattern, urging you to call back immediately. The aim is the same: To get victims to divulge sensitive information – like SAP login credentials – that the scammers can exploit to their advantage.
How to Prevent Vishing Attacks
Train your staff to protect themselves against workplace vishing attacks by encouraging them to take the following precautions:
- Don’t trust caller ID—it can easily be faked
- Never call phone numbers that you receive from automated phone messages or voicemails. Instead, look up the organization that claims to be phoning you, and call the number that the organization supplies on its website
- Never give information to callers unless you are positive they are legitimate. If in doubt, call them back on a number that you know is legitimate
- Always suspect automated phone messages and voicemail message that claim you have broken the law and are facing immediate consequences. Federal tax authorities, immigration officers and police departments don’t do this
Attacks Against Internet of Things Devices
Networks designed for internet-connected devices are now used widely across industries. And hackers are increasingly finding vulnerabilities in these IoT networks in general and in IoT devices in particular.
IoT hacks are the new normal, with eight in ten organizations reporting a cyberattack on their IoT devices within a recent 12-month period.
How IoT Attacks Work
Hackers typically target an IoT device, such as an internet-connected security camera, storage device or printer. Many IoT devices have known vulnerabilities (such as weak default passwords) that allow hackers to remotely control the devices from the internet. From there, the hackers access other devices on the network, including desktops, laptops, servers and databases.
These types of attacks can be devastatingly effective against SAP infrastructure, as we’ve previously examined. For example, a supply chain logistics management system could collect and analyze data from connected vehicles, cargo containers, traffic control systems, road sensors, and rail systems. This data would be stored in the SAP ERP system, helping companies manage production efficiency. If any of those connected vehicles or devices are targeted, the entire SAP system could be at risk.
How to Protect Against IoT Attacks
- Inventory all your IoT devices (a step most organizations don’t take)
- Disconnect any IoT devices that don’t actually need to be connected to your network
- Design a secure network architecture that includes all IoT devices, present and future
- Monitor your vendors and suppliers, some of whom may be exposing your data through their own insecure IoT devices
Keeping SAP Systems Safe
When it comes to the aforementioned kinds of cybersecurity attacks, the news tends to focus on the danger to consumers and their personal information. While that is obviously a major concern, there is also a massive danger to sensitive corporate or organizational information and the systems that hold this data, SAP being one of them.
By combining a variety of targeted attacks against SAP applications — many of them designed to take advantage of SAP vulnerabilities — cybercriminals, state-sponsored hackers, hacktivists and other malicious actors aim to penetrate SAP systems and steal business data, such as bank account numbers, intellectual property and employee data.
The first step is to know what these types of attacks are and what steps you and your team can take to prevent them. Steps like frequent updates and patching, security audits, and the deployment of trusted anti-virus software can go a long way toward keeping your SAP system safe, no matter what new attacks emerge on the horizon.