Vishing is a grouping of “voice” and “phishing”. Vishing is like another Social Engineering attack phishing - the major difference being a mode of attack. While phishing involves the use of emails to trick a target into providing the target’s personal details; vishing involves voice or telephone services. A typical vishing call involves an imposter, posing as an official from the bank or another organization asking for your personal details. These attackers could offer creative reasons to fetch information from a target.

SMShing is a grouping of “SMS” and “phishing” which is any kind of phishing that involves a text message. The information an attacker is looking for can be anything from an online password to your PAN card details or Aadhaar details or any other sensitive/personal details which could lead to financial compromise.

Modus operandi of Vishing
1. Imposter calls as an individual posing banker/agent and seeks confirmation of card PIN / OTP by sharing a few details such as name or date of birth to gain confidence.
2. The imposter pressurizes into urgently / immediately requesting card PIN / OTP citing emergency, details required to block transaction or payment required to stop penalty, etc.
3. If any individual falls for such bait, his/her credentials are then used to defraud.

Modus operandi of SMShing
1. In order to install the malware (SOVA), the imposter sends a text message (SMS) or Messenger message posing as a banker or agent. The malware (SOVA) can hide itself with other well-known applications such as Chrome, Amazon, and the NFT platform.
2. Malware like SOVA could harvest usernames and passwords, steal cookies, and encrypt data for ransom.
3. In some case Imposter calls and seeks confirmation of card PIN / OTP by sharing a few details such as name or date of birth to gain confidence.
4. The imposter pressurizes into urgently / immediately requesting card PIN / OTP citing emergency, details required to block transaction or payment required to stop penalty, etc.
5. If any individual falls for such bait, his/her credentials are then used to defraud.

Best Practices and Recommendations:
1. Be cautious while clicking on SMS/Chat links, especially ones received from unknown senders.
2. If you have not tried to generate or reset your PIN but still receive an SMS mentioning the code, report the same to the bank immediately
3. Be aware of suspicious numbers that don’t look like real mobile number.
4. Install and maintain updated mobile device anti-virus and antispyware software.
5. Install Smart Phone updates and patches as and when available from device vendors.
6. Do not download and install application from untrusted source. For example, websites offering pirated movies, games.
7. Always install applications from app store and review the app details, number of downloads, user reviews, comments section.
8. Be vigilant in allowing permission while installing new application. For example, Calendar application which don’t required permission to access camera or mic to function properly
9. Only click on URLs that clearly indicate the website domain.
10. Exercise caution towards shortened URLs
11. Avoid storing personal/sensitive information on a mobile device. Like ATM PIN, Username, Password etc
12. Look out for valid encryption certificates by checking for the green lock in the browser's address bar
13. Customers should report any unusual activity in their account immediately to the respective bank
To report any vishing/smishing attack or attempt, kindly call our toll-free numbers along with details such as calling/messaging number, any pertinent details of the conversation or recorded message, the call-back number (if indicated during the call)

Do watch our Satark video titled Na, No, Never!
Always remember Jo Satark, Wohi Surakshit!