Cybersecurity: Getting Back to the Basics

Author: Jeff Weeks, Senior Vice President and Chief Information Security Officer

Last month, I wrote about the Telephone-Oriented Attack method. This attack method employs phishing, vishing, and/or smishing. This month, we will discuss the basic types of phishing attacks, which can be used alone or in combination to seem legitimate.

What is Phishing?

Phishing usually consists of phony emails that seem to be from reliable sources. To instill a sense of urgency and increase the likelihood that victims will click on infected links or attachments, hackers employ social engineering techniques to trick recipients into acting without fully considering whether the request is legitimate.

Why is identifying phishing important?

Phishing is the number one delivery method of malware and is the easiest way for hackers to obtain access to your information, accounts, and money. Phishing bypasses security measures and exploits human vulnerabilities.

Email Phishing Example

Imagine receiving an email that appears to be from your bank, alerting you to a compromised account. The email urges you to click on a link to validate your account.

Indications of Phishing Emails

Misspellings and general salutations used to indicate phishing, but not anymore. Hackers use Artificial Intelligence (AI) and other apps to correct errors in messaging. A better way to determine whether an email is phishing is to take your time and analyze it. If you received an email like the one in the image above, what steps can you take to determine if it is phishing?

• Hover over the sender’s address. Does it show a different email address than what is presented? If so, it’s most likely phishing. Even if the email address appears to be legitimate, let’s look closer.
• Look carefully at the sender’s email address – are there numbers substituted for letters? Are there misspellings in the email address? Or is the email address associated with a personal account or a general domain, such as gmail.com?
• Consider whether the email is asking you to act urgently or scare you. The subject line of this email certainly grabs your attention and can create feelings of fear and urgency. The purpose of using scary language like this is to compel you to act before you have had a chance to carefully consider the email you are interacting with.
• Is the email asking you to click on a link? Hover over the link without clicking on it. Does the link have the appropriate domain? Since this email is from yourbankname.com, the link to verify your account should also come from yourbankname.com. If not, this is likely a phishing email.
• If you are still unsure, call the business at a phone number you find independently from the email. Do not call any phone numbers provided in the email.

Phishing using Smishing (SMS)/Text messages

A common smishing message going around now is the “Unpaid Toll” text. This text message often comes from an unknown number and creates a sense of urgency.

Smishing Example:

Indications of Smishing:

• Communication from unidentified individuals or unknown numbers is the first sign of smishing. This phone number comes from a +63 country code, which is the Phillippines.
• The URL is unusual.
• It creates urgency to pay to avoid excessive late fees.

Voice Phishing or Vishing

Vishing is the practice of hackers posing as trustworthy companies over the phone in order to obtain personal data. Caller ID spoofing is frequently used in this technique to make it seem as though the call originated from a reliable source.

Vishing Example:

Someone pretending to be from your IT department calls you and says there has been a security breach and they need your login information to "fix" the issue. The caller also states, if you do not provide the information, you will be locked out of your account.

Indications of Vishing:

• Phone calls from unfamiliar phone numbers. Does the number appear to come from within your organization?
• The caller ID appears to show a legitimate area code or business name, but the request seems suspicious. Why do they need your login information to fix the issue?
• Over the phone requests for private information are suspicious, especially if you did not initiate the call.
• Threats of account suspension or pressure to respond immediately are suspicious.  
• Remember, it’s always ok to hang up and call someone at a number you trust.

Additional Steps to Stay Safe

To increase security, here are additional steps to take:

• Turn on multi-factor authentication for your accounts.
• Set your devices to automatically update. As an example, in April 2025, Apple issued an update for iPhones to address two zero-day vulnerabilities. Hackers exploit zero-day vulnerabilities before the software provider can identify and address them. Targeted attacks against individuals have exploited both of the Apple vulnerabilities. By having your phone set to automatic updates, you can narrow the window of time that it is vulnerable to these and other attacks.
• Report strange activity to the appropriate authorities or the information security or technology department of your company if you receive a strange email, text, or phone call.
• If you happen to receive a call, email, or text that seems suspicious and claims to be from FNBO, report it to us at: reportphish@fnbo.com. This helps us address phishing campaigns using FNBO’s brand and allows us to take down websites associated with these attacks.

Understanding the different forms of phishing and how to spot them can help you defend yourself against these dishonest practices. Always prioritize your online security.

Images are generated by Artificial Intelligence.

About the Author
Jeff has been with First National Bank of Omaha for more than 26 years and is currently the Senior Vice President and Chief Information Security Officer. The executive leadership and oversight provided by Jeff in the development, management, and execution of information security for FNBO enables the company’s ability to posture and protect private, personal information, and assets of the company’s clients, employees, and business partners.