April 2019: Whaling, SMiShing, and Vishing…Oh My!

min read

Social engineering attacks such as whaling, SMiShing, and vishing are common ways to steal information and money. The twelve Security Awareness blogs feature ready-made content designed to enhance security awareness.

photo of credit card caught on a fishhook
Credit: wk1003mike / Shutterstock © 2018

Campus Security Awareness Campaign 2019

This post is part of a larger campaign designed to support security professionals and IT communicators as they develop or enhance their security awareness plans. The campaign is brought to you by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council (HEISC). View the other monthly blog posts with ready-made content at the security awareness resource page.

You know about phishing, but are you educating your community about the other types of "ishing?!" Phishing via email has been a major risk for a long time, and organizations are getting better at preparing their communities to resist this form of social engineering and abuse of trust by using phishing training programs and user awareness training and by raising the awareness of email threats in general.

Prepare your community for some of the variants on this attack that are becoming more prevalent via email, SMS, and voice phone calls. This month's ready-made content can help your end users learn how to protect themselves against these types of attacks on campus and off.

Get the Word Out

Newsletter or Website Content

Cybercriminals use types of social engineering—manipulating people into doing what they want—as the most common way to steal information and money. Social engineering is at the heart of all types of phishing attacks—those conducted via email, SMS, and phone calls. Technology makes these sorts of attacks easy and very low risk for the attacker. Make sure you're on the lookout for these variants on the traditional, mass emailed phishing attack:

  • Spear phishing: This kind of attack involves often very well-crafted messages that come from what looks like a trusted VIP source, often in a hurry, targeting those who can conduct financial transactions on behalf of your organization (sometimes called "whaling").
  • SMiShing: Literally, phishing attacks via SMS, these scams attempt to trick users into supplying content or clicking on links in SMS messages on their mobile devices. Flaws in how caller ID and phone number verification work make this an increasingly popular attack that is hard to stop.
  • Vishing: Voice phishing, these are calls from attackers claiming to be government agencies such as the IRS, software vendors like Microsoft, or services offering to help with benefits or credit card rates. Attackers will often appear to be calling from a local number close to yours. As with SMiShing, flaws in how caller ID and phone number verification work make this a dangerous attack vector.

No matter the medium, follow these techniques to help prevent getting tricked by these social engineering attacks:

  • Don't react to scare tactics: All of these attacks depend on scaring the recipient, such as with a lawsuit, that their computer is full of viruses, or that they might miss out on a chance at a great interest rate. Don't fall for it!
  • Verify contacts independently: Financial transactions should always follow a defined set of procedures, which includes a way to verify legitimacy outside email or an inbound phone call. Legitimate companies and service providers will give you a real business address and a way for you to contact them back, which you can independently verify on a company website, support line, etc. Don't trust people who contact you out of the blue claiming to represent your company.
  • Know the signs: Does the message/phone call start with a vague information, a generic company name like "card services," an urgent request, and/or an offer that seems impossibly good? Hang up or click that delete button!

Social Posts

  • Microsoft won't call about your computer, the IRS won't call about their case, and Rachel from card services won't get you a better rate! #Cyberaware
  • Would you trust someone at random on the street? Why would you trust someone who randomly emails, texts, or calls you? #Cyberaware
  • Phone calls and texts are as easy to spoof as email. If it sounds too good to be true, or if it's really scary, it's probably a scam. #Cyberaware
  • Remember: #Phishing is a social engineering scam and it's not just for email! You can get phished by phone or text message too. #Cyberaware

Email Signature

Ask staff to add a tip to their email signature block and link to your institution's information security page.


Jane or John Doe
Chief Information Security Officer
XYZ College or University

Did you know?

  • Emails from a VIP asking to do an urgent wire transfer or buy some gift cards are scams!
  • No one from Microsoft is going to call you about your computer that has a virus!
  • The IRS isn't going to call you and threaten legal action, unless you pay them using gift cards!

Learn more here. [Link "Learn more" to your institution's information security department page or NCSA's tips and resources for spam and phishing [https://staysafeonline.org/stay-safe-online/online-safety-basics/spam-and-phishing/].]

Embed or Share Videos

HEISC Information Security Awareness Training Video: "Phishing: E-Safe"
FCC Podcast on Spoofing, Scamming, and Crackdown on Unwanted Calls
Hang Up on Phone Fraud


Share these resources with end users or use them to inform your awareness strategy.

Use This Image to Support Your Message

phishing infographic
From Digital Guardian phishing infographic

Eric Weakland is Director of Information Security at American University.

© 2018 Eric Weakland. The text of this work is licensed under a Creative Commons BY-NC-SA 4.0 International License.