28 February 2022

Phishing, vishing or smishing?

James Walker

By James Walker

Scammers are becoming smarter and leaving more and more consumers out of pocket. Rightly's James Walker looks at how to recognise different types of scams and what you can do to help protect yourself by taking control of your data.

You may well have read about Phishing, Vishing and Smishing, but what do these new made-up words actually mean? Here we’re going to explain what they are and the differences between them. And how to look out for them.

All kinds of companies are having their data hacked and so it’s likely that some of your personal information may have fallen into the hands of criminals at some point. They can use it to create a range of different types of scams.

Follow the money

The thing almost all scams have in common is, you guessed it, money. It always comes back to money and the ways in which cyber-criminals would like to part you from yours.

What we’re seeing more of these days, is people being subject to online criminal activity, where they are defrauded of money, or surrender their personal information or bank details. Scammers are experts in ‘social engineering’ and put a lot of effort into presenting themselves as believable and genuine so that they build trust.

Phishing

'Phishing' is activity when criminals use emails, text messages or phone calls to trick their victims. Often it’s by impersonating an organisation. Recent scams in the UK have included phishing attacks that look like they have come from Royal Mail. It can begin with a text message that says you need to pay a small amount to have a parcel delivered. In the text message there will be a link and if you click on it you will go to a bogus website that looks like it’s Royal Mail, but it’s actually a front created by criminals. The website may ask you to submit personal information and could include bank details. And once they have that information the criminals are away.

Or the website may have some other purpose such as downloading software onto your smartphone or computer that will give the scammers access to the phone and the information stored on it, which might include passwords as well as contact information.

Many organisations have been impersonated by the ‘phishers’. Even government websites aren’t immune and HMRC has been impersonated in increasingly sophisticated ways. These scams often manipulate emotions and play on greed or fear. So some might promise a tax rebate as the hook, or others announce that you are being investigated and likely to be arrested if you don't pay a large sum right away. Scams playing on fears have been particularly successful. Many people may think they can’t be conned in this way, but the scammers play on the vulnerable, taking advantage of most people’s ignorance of HMRC’s methods and procedures, often panicking people into transferring large sums.

Vishing

‘Visihing’ is where criminals will call you on the phone, posing as your bank or another seemingly reputable company, to verbally obtain sensitive data such as passwords. It could be a call from a ‘bank’, or it could be they are calling posing as a utility company, for example BT calling to say that your internet has been hacked. Then over a period of several hours they move the conversation, little by little, into downloading an app onto the victims phone that immediately gives access to passwords, bank details and so on. They then set about getting the victim to transfer funds, apparently to ‘protect’ them, but of course the funds just disappear.

Vishing attacks often start sounding quite innocent. For instance, one starts with someone calling offering to reduce your energy bills. They may even be able to tell you your name and address and who you buy your energy from because they were able to get those details on the dark web where they had been sold following a hack somewhere. And often, victims are conned because of the smooth talking scammer that apparently has their data - the victim might immediately think the caller is genuine just because they already know some information.

Smishing

‘Smishing’ is really a subset of phishing and happens over text or messaging services like WhatsApp or Messenger. It might include instructions to click on a link, or direct you to a fraudulent website which collects personal and payment details. It’s also a common way that romance scams unfold, where victims are lulled into a false sense of security, sometimes over many months - until the scammer begins asking for money.

How to spot scams

Scammers try to quickly gain your trust and can come across as very charming. They aim to manipulate you into acting quickly and without thinking. Often they introduce some urgency into their communication, a kind of ‘act now, or else it will be bad…’ approach.

But there are ways to spot the scammers. And a way to lower the risk of you getting scammed.

Firstly, if a message or call makes you suspicious, stop and think about the language it uses. Often there are errors in spelling or grammar that give them away.

It’s important to remember that no reputable company will ever ask you to pay money via a text or social media message. If you get a message like that, it’s a scam. Similarly, no bank will ever ask you for your password, nor ask you to download an app to your phone or a file to a computer.

If in any doubt, contact the company or organisation directly. But don’t use the number or contact in the message - scammers can ‘spoof’ telephone numbers, in other words make a number look like it’s from the organisation. Go to the genuine company website and use the proper contact details.

Here are some common signs it’s a scam:

  • Official? Is the message claiming to be from someone in some sort of position of authority? For example, your bank, your doctor, a solicitor, or a government department? Criminals often pretend to be important people or organisations to trick you into doing what they want.
  • “It’s urgent!” Does the message or caller say you have a limited time to respond, or that you must act now? Criminals often threaten you with fines or other negative consequences, playing on fears.
  • Emotion. Does the message make you panic, play on fear, give you something hopeful or spike your curiosity? Criminals often use threatening language, make false claims of support, or tease you into wanting to find out more.
  • Scarcity. In social engineering, scammers use all sorts of tricks, including playing on ‘fear of missing out’. If the message is about something in short supply, like sporting tickets, money or a cure for medical conditions, it may well be a scam. Fear of missing out on a good deal or opportunity can make you respond quickly.
  • Current events. The pandemic saw a rise in scams that played off what was going on. The cyber-criminals often exploit current news stories, big events or specific times of year (for example tax reporting cycles) to make their scam seem more relevant to you.

What can you do?

The UK Government on gov.uk offers a checklist on how to spot scam phone calls, messages and mails claiming to be from HMRC. Be suspicious if a message apparently from HMRC:

  • is unexpected
  • offers a refund, tax rebate or grant
  • asks for personal information like bank details
  • is threatening
  • tells you to transfer money

Report it

If you come across a scam, you can report it:

  • Email. If you have received an email which you’re not quite sure about, forward it to report@phishing.gov.uk
  • Text. Report scam texts to your phone operator by forwarding the message to 7726 for free.
  • Phone. If you think a call is suspicious, hang up. If it’s pretending to be your bank, find the number on your bank card on the bank or its website. In England, Wales or Northern Ireland, visit www.actionfraud.police.uk or call 0300 123 2040. In Scotland, report to Police Scotland by calling 101.
  • Websites. The National Cyber Security Centre (NCSC) has the power to investigate and remove scam websites. It's free to report a suspicious website and it only takes a minute. You can report a scam website here.

Rightly Protect

Rightly is all about helping you keep yourself safe from unscrupulous people who will use your personal data against you if they can. Prevention is better than cure, and our Rightly Protect service is designed to help you work out who has your data so that you can get it deleted before it falls into the wrong hands.

We can automatically help you find out which companies have your data and you can then select as many of those as you like and, with one click, ask them all to delete your data.

Why do that? Because if companies that don't need your data don't have it, if they get hacked and data is stolen, yours won't be there any more. Companies are obliged to act on your instruction to delete all the data they have about you, so they have to do it. Reducing your digital footprint in this way reduces the risk of you being scammed.

James Walker is the CEO of Rightly