Socially Engineered Security Risks Series
Phishing, Smishing, Vishing and Waling
Your pharmacy computer systems contain valuable information that on the dark web can be sold or traded for money, bitcoin or other valuable online commodities such as zero-day exploits. Threat actors (hackers, online criminals etc.) will use any means necessary to access your business.
To gain access to your pharmacy systems, they need credentials (username and password) coupled with a remote access method or some form of malware that provides remote access without credentials.
Phishing, Smishing, Vishing and Waling are all variations of social engineering scams that threat actors use to gain access to computer systems. All phishing scams involve threat actors sending a communication (usually email but may also be a phone call or SMS) disguised as being from a trusted sender to gain access to computer systems, steal confidential information, or make it unavailable.
Here are the key types of Phishing scams you should understand and know how to recognise if a threat actor targets you or your business:
Phishing (pronounced: fishing) is a parent name for many different types of social engineering attacks where a threat actor sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the threat actor or to deploy malicious software on the victim’s infrastructure like ransomware.
Phishing attacks have become increasingly sophisticated and often are very difficult to detect if you are unaware of some of the ways threat actors can trick you into providing the information they want.
The most common form of a Phishing attack is through email. Corum receives thousands of phishing emails annually, targeting all users, sometimes randomly, sometimes in a more targeted way.
Spear phishing is an email scam targeted towards a specific individual or directed to key leaders in the organisation or business. The emails often use clever tactics to get victims’ attention, such as being about a topic that the recipient is known to be interested in. This information is usually researched through social media and by reviewing the company website or media announcements. Usually, nation-state threat actors will use this type of attack when targeting a specific industry or business of interest. In most cases, an email arrives, apparently from a trustworthy source, but instead, it leads the unknowing recipient to a fake website full of malware.
Smishing is a phishing attack carried out over mobile text messaging, also known as SMS phishing. It tries to get the unsuspecting user to click on a link to direct them to a malware-infected site or fraudulent site to gather login credentials.
Vishing uses verbal scams to trick people into doing things they believe are in their best interests. Vishing often picks up where phishing leaves off.
An example of this attack is when the victim clicks on a link for an online advertisement related to their interests. Malware embedded in the link triggers a computer problem that only the helpful “technician” on the other end of the phone could fix. It will then cost the victim some money to remediate the problem. Of course, it was all a scam, and the technician’s “company” was the actual source of the problem.
There is an excellent example of this type of attack in this short Youtube video:
A whaling attack is a method used by threat actors to masquerade as a senior leader at an organisation and directly target senior or other influential individuals, aiming to steal money or sensitive information or gain access to their computer systems for criminal purposes. Threat actors often gain access to a junior employee’s email account and target a more senior person – a Business Email Compromise or BEC.
These attacks can be made more believable when threat actors use significant social media research to create a custom approach tailored for those target individuals.
The attack often starts with an email that seems to be from a senior manager and could include a reference to something that an attacker may have gleaned online, for example, when they’ve seen the person on some social media images of the office Christmas party. The email will request an urgent payment or a change to a bank account or other critical financial system.
Protecting Yourself From These Types Of Attacks
The best protection from these attacks is often awareness and ensuring you have robust controls in place for when your attention to potential risk fails.
1. Protect your computer by using the best in class security
2. Set your computer to update automatically so it can deal with any new security threats.
3. Protect your mobile phone by setting the applications and OS software to update automatically.
4. Protect your accounts by using multi-factor authentication
5. Protect your data by backing it up.
If you are worried about the security of your pharmacy systems and want to know you can improve your pharmacy security, speak to your Corum Customer Success Manager or contact us on 1300 669 865.