Modern cybersecurity terms that schools should know

Phishing, Smishing, Vishing, Quishing, Whaling and Spear-Phishing.

Nope, not a spell from Harry Potter but just a few more modern ways cybercriminals are targeting us.

For those of you who aren’t already familiar with or aware of the terms, here is a breakdown of what it all means:

Phishing, Smishing, Vishing, Quishing, Whaling, Spear-Phishing

Phishing

(We’re confident you know this one.) It’s when attackers attempt to trick users into doing ‘the wrong thing’, such as clicking a bad link in an email that will download malware or direct you to a dodgy website.

Smishing 

Smishing is when scams are sent via text (SMS) messages to mobile phones. Like phishing, you’ll receive a message that looks like it came from a trusted source. Display names can be spoofed to make the texts appear authentic.

Vishing

Vishing follows the same thread but this time via voicemail or a phone call. You know, “following your recent accident…” or “you owe HMRC some money…”

Quishing 

Since the pandemic, QR codes have made a comeback (touch-free access to information) and because of this, cybercriminals are placing QR codes in places to be clicked and are sending you exactly where they want you.

Whaling

Whaling is Phishing for large organisations and the senior executives within – hoping to persuade them into transferring large sums of money.

 
Spear-Phishing

A very targeted form of Phishing that is personalised to you. Whereby, the attacker is disguised as a known and trusted individual.

They all serve the same purpose.

Victims are deceived into giving sensitive information to a disguised attacker and because technology provides a wide range of channels, it also provides a wider range of victims, allowing cybercriminals to choose whom they want to target and how.

These attacks are often claiming to be from your bank, asking you for personal or financial information such as your account or card number. And as more and more people use their personal smartphones for work (BYOD) ph/sm/qu/vishing is no longer just a consumer threat. 

Here's how it works...

Urgency
Causing a state of panic and urgency is a great distraction as nobody wants to be a let-down and therefore, you will act quickly.

Authority/Trust
By posing as legitimate individuals and organisations, cybercriminals lower your scepticism. With texts and voice messages being more personal communication channels and QR codes through choice, they naturally lower your defence.

Curiosity
Using a situation that could be relevant to you personally e.g. finances, online orders etc. allows an attacker to build an effective disguise. The message feels personal, which helps to override any suspicion.

Emotion
By heightening your emotions, attackers can override critical thinking and drive you into rapid action.

Typically, attackers want you to open a link within the message, where you are then led to a tool prompting you to disclose your private information. This tool often comes in the form of a website or app that also poses under a false identity.

When people use their phones, they are even less wary; you’re often on the go, distracted or in a hurry. Many assume that their smartphones are more secure than computers but smartphone security has limitations and cannot always directly protect against cyberattacks.

How to prevent Phishing/Smishing/Vishing/Quishing

Do not respond. 
Even prompts to reply like texting “STOP” to unsubscribe can be a trick to identify active phone numbers. Attackers depend on your curiosity or anxiety but you can refuse to engage.

Call your bank or supplier directly if in doubt.
Legitimate organisations don’t request account updates or login info via text or voicemail. Furthermore, any urgent notices can be verified directly on your online accounts or via an official phone helpline.

Avoid using any links or contact info in the message. 
Avoid using links or contact info in messages that make you uncomfortable. Go directly to official contact channels where possible.

Check the phone number. 
Odd-looking phone numbers, such as 4/5-digit ones are one of the many tactics scammers use to mask their true phone number.

Don’t keep credit card numbers on your phone. 
The best way to keep financial information from being stolen from a digital wallet is to never put it there.

Use multi-factor authentication (MFA). 
An exposed password may still be useless to an attacker if the account being breached requires a second “key” for verification.

Finally – Report all cybercrime attempts to designated authorities.

If you think you may have already been attacked…

Where prevention has failed, damage limitation is next to reduce the success of a cyber-attack:

  1. Report the suspected attack – https://report.ncsc.gov.uk/
  2. Freeze your accounts to prevent any ongoing attempts
  3. Change all passwords and PINs where possible
  4. Monitor your finances, credit, and various online accounts for strange login locations and other activities.

It’s important to be honest when these occurrences take place as they can impact both your personal and professional reputation.

Taking these steps (and most importantly reporting the attempt), not only helps you recover but prevents others from falling victim too.

And remember…

Cybercrime isn’t just a technical issue. We all have a responsibility to keep our colleagues, students and data safe and secure.

 

Further Support: