Cybersecurity attacks come in all sorts of ways and from all directions, so perhaps we should not be surprised at one of the latest trends in thieves trying to steal your organization’s data — “vishing” attacks, where they use the plain old telephone.
What Is Vishing?
Vishing, also known as “voice phishing” happens when attackers use voicemail or phone call scams to dupe victims into sharing confidential data, downloading malicious software, or taking some other step to leave the business exposed to the attackers.
Conceptually, vishing works the same way as traditional phishing attacks: criminals use social engineering techniques to generate a sense of legitimacy and urgency to their request; and they manipulate the victim into helping achieve that goal. But where phishing transpires over email, vishing usings voice communications over landline, cell phones, or Voice over Internet Protocol (VoIP).
For example, a common cybercrime, warned about by the FBI, targets senior citizens. The attackers make contact and claim to be law enforcement, telling the target that a loved one is in jail and needs to be bailed out. Then comes the scam: to make bail, the attackers say, the target should transfer money immediately to a certain bank account or credit card number.
How Do Vishing and Phishing Differ?
As previously mentioned, vishing and phishing use two different technologies (voice and email) to accomplish the same goal (dupe the victim into taking some action). There’s even a third species of this attack, “smishing,” which uses SMS text messages.
The information scammers collect from their victims strengthens vishing attacks, reinforcing the credibility of their cover stories and reinforcing the sense of urgency from which they benefit.
Vishing can often be the next step after a successful phishing attack. The information scammers collect from their victims in a phishing attack can often strengthen the vishing attacks, reinforcing the credibility of the attackers’ cover stories and the urgency of the victim taking action right away.
Common Types of Vishing Attacks
Below are common vishing scams to watch for.
Bank-Related Fraud
One of the main objectives of vishing scammers is to obtain financial information of any kind, from account numbers to credit cards.
To achieve this goal, scammers rely on methods such as ID Spoofing, where they try to pose as a legitimate corporate caller ID or an unknown number. This allows them to appear like a legitimate caller, so they can try to extract the victim’s banking information or commit identity theft.
In the business world, this can also take the form of a scammer calling a subordinate inthe company’s financial department, posing as the CFO or some associate of the CFO. Then the scammer asks the target to wire company funds to an overseas account, perhaps to pay for an M&A deal or some such reason. Once the money leaves the corporate coffers, the scammer disappears with it.
Loan Offers
Many vishing calls will offer high-value investments or low-interest loans. Due to the nature of these types of transactions, that gives the attackers more credibility to request sensitive information.
Backed with other phishing schemes, this kind of vishing attack will seek to reinforce the appearance of legitimacy to induce wire transfers or more informal payments under the excuse of facilitating administrative processes for the acquisition of non-existent profits.
Account-Specific Attacks
By taking advantage of the poor cybersecurity design of online services, scammers can gain information about which companies use them. This becomes the entry point for cyber attackers, who use the front of a legitimate service to forge suspicious login notifications or password change requests.
These legitimate-looking notices will seek to redirect victims to conveniently forged web pages to extract users’ login details or directly request payment of some sort of essential fee.
IRS Scams
Along similar lines to Social Security scams (but applicable to the much wider world of anyone who pays taxes), IRS scams threaten tax penalties or other obligations, along with a “solution” that’s available if the victim provides financial data.
How Can You Avoid Vishing Attacks?
Vishing attacks seem easy to identify after the fact, when we present them to someone looking to identify a scam. In the moment, however — when an attacker is actually on the phone, with a smooth presentation and plausible claims — spotting the vishing scam can be much harder. Follow these recommendations to stay safe from vishing and other social engineering attacks.
Be wary of urgent requests.
While emergencies and problems arise daily, few can be resolved on a single phone call. The attempt to reinforce a sense of urgency can be a great indicator of an attacker to try to obtain financial information.
Try to confirm any information given.
Try to verify anything from the agent’s name to the reason for the call.
Financial institutions and government agencies have public lines to answer requests and inquiries; they also have reliable digital media where it is possible to verify authentic information.
Ask for documentation that you can evaluate later. Many scammers will send false documentation that can be easily disproved by contacting the respective agencies.
Never provide or confirm personal information.
No bank, police or government agency, hospital, or insurance company will request your personal information by phone call, so any related request should be handled with care and skepticism.
Protect Your Business Against Evolving Cyber Attacks
The number of cyberspace-related risks is growing exponentially as today’s risks evolve and multiply to overcome traditional defenses.
Conventional risk officers often lack the tools necessary to address the dynamic cybersecurity landscape, and guidelines to prioritize threats and vulnerabilities.
ZenGRC is your answer to the exponential increase in risks in today’s digital world, with monitoring tools that allow risk officers to address corporate security risks from a technical perspective and clear, easy-to-use framework templates.
Keep your company and your information systems protected from threats with integrated support from specialists in the field.
ZenGRC is the solution your company needs. Book a demo to learn more.