ICT 0417 – Safety and Security: Phishing, Pharming, Smishing, Vishing8 Safety and Security
Objective
Know and understand phishing, pharming, smishing and vishing, and be able to apply methods that help prevent them.
Key Terminology
- Phishing – Deceptive electronic communication (usually email) that pretends to be from a trusted source to obtain personal or financial information.
- Pharming – Manipulation of DNS or host files so that a user is directed to a fraudulent website even when the correct URL is entered.
- Smishing – Phishing carried out via SMS (text) messages.
- Vishing – Phishing carried out over the telephone, often using voice‑over‑IP (VoIP) or spoofed caller IDs.
How Each Attack Works
Phishing
Attackers send an email that looks legitimate, often containing:
- A sense of urgency (e.g., “Your account will be closed”).
- A link to a counterfeit website that mimics the real one.
- Requests for login credentials, credit‑card numbers, or other sensitive data.
Pharming
Two common techniques:
- DNS poisoning – Corrupting a DNS server’s cache so that domain names resolve to malicious IP addresses.
- Host‑file alteration – Changing the local hosts file on a computer to redirect a domain to a fake site.
Smishing
Typical steps:
- Victim receives a text that appears to be from a bank, delivery service, or government agency.
- The message contains a short URL or a phone number.
- Clicking the link or calling the number leads to a request for personal data.
Vishing
Common scenario:
- The attacker calls, often using a spoofed caller ID that shows a trusted organisation’s number.
- They claim there is a problem with the victim’s account and ask for verification details.
- Information is recorded and later used for fraud.
Comparison of Attack Types
| Attack Type | Medium Used | Typical Target | Common Prevention |
|---|
| Phishing | Email | Individuals and employees | Spam filters, email authentication (SPF/DKIM/DMARC) |
| Pharming | Web (DNS/hosts file) | Anyone using a compromised network | Secure DNS services, regular host‑file checks, HTTPS verification |
| Smishing | SMS/Text message | Mobile phone users | Do not click short URLs, verify sender with official app or website |
| Vishing | Telephone/VoIP | Phone users, especially seniors | Never give personal data over unsolicited calls, use call‑blocking apps |
Prevention Strategies
Effective prevention combines technical controls, user awareness, and organisational policies.
Technical Controls
- Enable multi‑factor authentication (MFA) for all accounts.
- Deploy anti‑phishing email gateways that scan links and attachments.
- Use DNSSEC and reputable DNS providers to reduce DNS poisoning risk.
- Keep operating systems, browsers and security software up to date.
- Implement network firewalls that block known malicious IP addresses.
User Awareness
- Check the sender’s address carefully – look for misspellings or unusual domains.
- Hover over links to view the true URL before clicking.
- Verify requests for personal data through an independent channel (e.g., call the official number).
- Be skeptical of urgent or threatening language.
- Do not trust short URLs; use a URL‑expander service if unsure.
Organisational Policies
- Regularly conduct phishing simulation exercises for staff.
- Maintain a clear incident‑reporting procedure for suspected attacks.
- Provide mandatory training on safe handling of emails, SMS and phone calls.
- Enforce password policies and encourage the use of password managers.
Summary Checklist
- Identify the medium (email, DNS, SMS, phone) used in the attack.
- Look for signs of deception: urgency, unfamiliar sender, mismatched URLs.
- Apply technical safeguards: MFA, spam filters, secure DNS.
- Educate users to verify requests through trusted channels.
- Report any suspected incident immediately.
Suggested diagram: Flowchart showing how a phishing email leads to credential theft, with parallel branches for smishing, vishing and pharming.