Phone calls, emails, and text messaging—we communicate with them every day, but cybercriminals use them to steal information and money. This is done through social engineering, a manipulation technique that exploits human error to gain access to private information, valuables, or systems. When social engineering is mixed with smartphones and the internet, you get vishing, phishing, and smishing. Let's see what these scams are and how you can protect yourself from them.

What is vishing?

Vishing, aka voice phishing, occurs when scammers call you or your business and try to obtain sensitive information. Often, the person on the other end of the line will claim to be from a company you're already doing business with—like your point-of-sale partner. Sometimes they'll even say they're a third party that's working with your provider.

Since voice calls happen in the moment, people who attempt vishing attacks want you to think that giving them information is both important and urgent. They know that once you hang up, there's probably no chance for them to get what they want, so they use some common tactics to get you to act fast.

phone ringing with a message that says "Caller ID: Scam or Fraud"
Phone carriers will often identify possible scam calls before you even answer.

3 common vishing tactics

  1. You're not PCI-compliant. Payment card industry (PCI) compliance is the rules your business must follow to protect credit card data and prevent data breaches. A scammer might tell you you're not PCI-compliant and ask to see your dashboard or statement information so they can fix the problem.
  2. You have billing issues. Scammers may claim they're third-party billing specialists and have noticed some overpayments on your account. They could ask for your billing rates or even bank account details so they could "help" you figure out a payback plan.
  3. Your tech needs to be updated. Attackers might pose as someone from your tech provider's customer support center and say your computer needs to be updated or repaired. With this vishing attack, they'll probably ask for remote access to your system or your account password.

How can your business avoid phone scams?

When someone calls you and claims to be from a business you work with, you should have a verbal passphrase they say to verify their identity (and vice versa.) At the very least, they should be able to tell you your account number with their business. 

If they can't provide that information, you should hang up and call the business from their listed customer support number. Let them know you were just contacted by someone who said they were a rep from their company, and you think it might be a scam. If it was a legitimate call, they should be able to reroute you to the rep who originally contacted you. If it was a scam, then you just saved yourself a lot of headaches or, more importantly, money.

To get a verbal passphrase with your tech provider, call their support center and let them know you'd like to set one up. SpotOn offers security phrase verification* for all clients to keep accounts safe while providing 24/7/365 expert phone support.

💡
*If you're a SpotOn client and would like to set up a security phrase, call our customer support at (877) 814-4102 and press 5 for account maintenance.

What is phishing?

person at the laptop recieving a spam email.
Phishing attacks come in emails from cybercriminals trying to get your personal information.

Phishing is when scammers try to obtain your personal details through email to do something that's not in your best interest. To do this, an attacker will try to get you to take one or more of the actions below.

  • Click on a link 
  • Download an attachment
  • Send sensitive information

While these actions may seem harmless, they have the potential to ruin your business. With a simple click (or a little bit of info), scammers can install malware on your computer, take your sensitive data, and ultimately steal money from your business.

How to tell if an email is a scam

  • Sender email address. An attacker can manipulate the sender's name but not the email address. Check the domain name of the sender's address to verify it's legit. A scam email might have the company's name with extra words or special characters. Like no-reply@accounts-netflix.com. Or the company name might be spelled wrong. If you're not sure if the email is legit, open a new tab and put the domain name of the email address in the URL bar. If it's not the company you expected, it's a scam.
  • Misspellings and bad grammar. Although it's not always the case, poorly written emails are often the first indicator of phishing attacks. Bad actors often don't spend the same amount of time or effort writing an email as trusted companies do. But on the flip side, just because an email is well-written doesn't mean it's not a scam. Make sure you check the email address, as mentioned above.
  • Suspicious links. Never click (or tap) on a button or text link without knowing where it goes. To find out, just hover over it with your cursor and the target URL will appear in the bottom left corner of your screen. If you don't recognize the domain name, stay away.
  • Unexpected attachments. Just like buttons and links, attachments can be scammy. To see where they lead, hover over (don't click) the attachment and a box with the target link will appear in the bottom left corner. If the domain name of the URL isn't familiar, it's most likely a scam.
  • Information requests. Businesses like your POS provider should already have the personal and bank account information they need from you, so there's no reason they'd ask for it in an email. Never reply or send your business's sensitive information in an open email.

How to report an email scam?

If you're not sure if an email is legitimate, screenshot it (Mac: Command + 3 or Windows: Windows + PrintScreen) and send it to the business it looks like it came from. They can verify if it's valid and, if it isn't, let other customers know about the scam.

To get rid of a scam email, select it in your email platform (like Gmail) and click the "Report Spam" icon in the toolbar. Once reported, the email is moved to your spam folder and deleted after 30 days. Gmail will also warn other users of the fraudulent email.

In Gmail, you can click on the stop sign icon to report suspected spam and scams

What is smishing?

Smishing, aka SMS (short-message-service) phishing, is when cybercriminals use deceitful text messages to get you to take actions that are against your best interest, like clicking on links that download malicious software onto your phone or entering your username and password into a fake login page. 

Since people carry their phones with them all the time, they're more likely to respond to text messages because they feel more personal and are less frequent. Smishing scams aren't just through text, though.

They can happen on any open messaging platform, like Telegram or WhatsApp. So you should have your guard up everywhere.

a phone with a series of text messages that is part of a smishing scam
Smishing scams might say you won a prize to get you to click on a link.

5 common smishing characteristics

  1. There's bad spelling or poor grammar
  2. You're prompted to take urgent action
  3. The number has an unusual amount of digits
  4. There's a link that doesn't match the content
  5. It references something irrelevant to you

How can you prevent smishing fraud?

  • Keep your number private. Avoid sharing your phone number unless necessary. This includes sharing on social media, putting in your number at the checkout counter, or using it as a username on sites. Remember, people who have your number have direct access to you most of the time.
  • Utilize your phone's security features. Smartphones are connected to the Internet, which makes them a security risk. If you have an iPhone, review Apple's security guide and turn on the necessary features to keep it safe. You can do the same with a Samsung Galaxy or Google Pixel.
  • Screenshot the message to report it. If you want to let a company know someone is sending out fraudulent messages in their name, screenshot the message and send it (text or email) to a trusted rep or customer support. 
    • Apple iPhone: Side button + volume up
    • Samsung Galaxy: Power button + volume down
    • Google Pixel: Power button + volume down 
  • Don't react. Just delete. If you suspect a message is a scam, don't click on any links or respond to the message itself. That's exactly what attackers want. Just delete the message and report it as junk if your messaging app offers that option.

What type of information do scammers want?

Because cybercriminals can use so many tactics to steal money, they will try to obtain all types of information from you. Never give any of your personal or financial information to people over the phone, email, text, or messaging platforms. These types of information include:

  • Personal phone numbers
  • Personal addresses
  • Social security numbers
  • Tax ID numbers
  • Login credentials
  • Business ID numbers
  • Bank account numbers
  • Account numbers for services
  • Payment processing rates

Being skeptical keeps your business safe

It's human nature to want to trust people, especially if you work in the service, retail, or hospitality industry. But scammers will prey on a business operator's good nature to get what they want. Make it a habit to approach every unknown phone call, email, and text message with suspicion. Do your due diligence as outlined above, and you'll be on your way to keeping your business and profits safe from malicious cybercriminals.

Get a demo - Small Business

DISCLAIMER: Everything here is just for informational purposes. The links and graphics may not be accurate and we encourage you to do your own research. Also, we can't guarantee results from following our advice. Always consult a professional for your specific situation.

Share this post