What is Vishing?
Vishing is defined as a cybersecurity attack in which a malicious entity contacts the victim by telephone and attempts to gain the victim's trust through social engineering practices to obtain sensitive data, extract funds or otherwise harm the individual.
This is essentially a type of phishing attack carried out through voice media, which is why it is called a vishing attack.
Vishing attack mechanism
Vishing usually takes the form of an urgent or disturbing phone call. For example, the caller may claim that the victim's account has been hacked and that they need a PIN number to validate their identity or reopen the account.
They may also claim to be calling on behalf of a government agency, such as the Internal Revenue Service (IRS) or the Social Security Administration. They may even insist that the victim owes money or has won a contest.
These are all cases of "vishing" (as discussed, a phrase that mixes "voice" and "phishing" to indicate a telephone scam). Phishing is a term used to describe any effort by cybercriminals to trick people into handing over money, personal data or secret information. Similarly, email and short message or text messaging systems ("smishing") can also be used to commit fraud.
Vishing is a cybercrime in which criminals use victims' phones to extract information that would harm the person or benefit the perpetrator in some way.
Cyber fraudsters use sophisticated social engineering techniques to convince victims to provide personal data and even access to bank accounts or trade secrets. Like smishing and phishing, vishing focuses on persuading victims that acceding to the caller's demands is the appropriate response. Callers often pose as government authorities, the tax agency, the victim's financial institution or the police.
The success of this tactic depends on effective social engineering, i.e. exploiting a person's psychology to create a convincing effect. Vishing perpetrators use threats or positive persuasion to make victims feel that they have to provide the requested information. Victims may also receive threatening voice messages telling them that they risk prosecution or having their bank accounts frozen if they do not call back correctly.
How does vishing work?
Phishing attackers often use caller ID spoofing to trick victims into believing that a phone call is coming from a trusted company or local neighborhood code.
They often act as trusted entities to trick victims into sharing their data. For example, they may appear as executives of a bank or credit card agency, a creditor or an IRS agent. These scammers will generate a sense of urgency when the intended victim answers the phone to prey on their feelings and force them to respond to demands.
Vishing can be of different types, but the objective is always the same: to trick the victim into revealing personal information, either for monetary gain or to commit other crimes, such as identity theft.
One of the reasons these attacks can be persuasive is that fraudsters can use personal information obtained from other sources to make vishing attempts appear legitimate.
The most common types of vishing
1. Wardialing
2. VoIP-based attacks
3. Caller ID spoofing
4. Scavenging in containers
1. Wardialing
Wardialing uses various types of technologies to automatically dial a large number of phone numbers in rapid succession, usually to discover flaws in security and IT infrastructure.
Hackers often use wardialing tools to find unsecured modems, sometimes known as "wardialers" or "demon dialers". It takes very little time
to do so if the scammer locates the list of numbers that are connected to the modems.
2. VoIP-based attacks
The transfer of voice and multimedia content over an Internet connection is known as Voice over Internet Protocol (VoIP). Users can make voice calls using VoIP through their computers, smartphones, other digital platforms such as VoIP phones and Web Real Time Communication (WebRTC) enabled sites.
VoIP is a beneficial technology for both individuals and businesses, as it often contains additional capabilities not seen in traditional telephone systems. It is also useful for businesses as a means of unifying communications.
Unfortunately, VoIP can be exploited by fraudulent individuals to initiate vishing attacks. The attacker registers a domain and creates phishing pages that resemble the organization's network login page. As a result, VoIP calls initiated by the threat actor appear to originate from the same network. In addition, since VoIP often requires multi-factor authentication, the caller may ask the victim to visit the fraudulent page and share their data.
3. Caller ID spoofing
Spoofing occurs when a caller purposely falsifies the information sent to the incoming call screen to conceal his or her identity. Fraudsters often use the "spoofing neighbor" technique to make the caller ID appear to come from a local number or to impersonate a company or government institution that the victim already trusts.
If such a call is answered, the attacker is attempting to steal funds or critical data, which can be used in fraudulent activities. Scam scripts are an important part of caller ID spoofing attacks, as they further reinforce the belief that the caller is legitimate.
4. Scavenging in containers
Rummaging through trash garbage cans - both physical and digital - belonging to banks, corporate buildings and other institutions is an easy and popular means of collecting vishing victims' contact information.
Criminals can gather enough information from shredded documents, discarded storage devices, old calendars, photocopies, etc., to conduct a subject-focused spear-phishing assault.
Preventing Phishing Attacks: Top 8 Best Practices for 2022
Once a person falls prey to a vishing attack, it is difficult to reverse its effects and recover damages. Even if law enforcement identifies the culprit, getting compensation for damages is a challenge. That's why it's crucial to take proactive steps to prevent vishing attacks by following these best practices:
Best practices to prevent vishing
1. Have a VPN connection
A virtual private network (VPN) protects information shared over the Internet and makes it harder for fraudsters to get hold of your contact details.
The VPN will encrypt network traffic and send it through a secure tunnel before reaching a VPN server that masks your IP address. As a result, threat actors will not know your location, making it difficult to execute social engineering attacks. The intended victim can simply ask the caller about their location to check if the call is legitimate.
2. Be on the lookout for "urgent" calls.
When a caller creates a sense of urgency, you should consider it a red flag. For example, vishing perpetrators may try to convince the victim that there could be negative consequences if they do not actually hand over their bank details or pay an unpaid bill immediately.
You can hang up or ask for the caller's contact information and tell them you will call back later. If it is a scam, the caller will usually exert more pressure or hang up.
3. Use robocall locking tools
Robocall blocking tools, popularly known as call filters, are computer programs that detect automated calls. If a third party entity has employed wardialing techniques, the robocall blocker will identify and block it immediately.
4. Implement internal processes
Who picks up the phone when the organization's general number rings? Could it easily end up in the hands of the wrong employee?
Passing the phone from one user to another can create confusion and cause employees in the organization to lose sight of who is on the other end of the call.
Hiring a dedicated receptionist to filter out the bad from the good can be helpful when necessary and ensure that all employees verify who is calling when someone else passes it on.
Another option is to create a process where the recipient confirms with the "requester" directly through another official channel before handing over the phone.
5. Ensure that all devices have multifactor authentication.
Using high-security passwords is all well and good, but multi-factor authentication provides those extra layers of security that ensure your account can't be compromised with a single password.
Google announced that multi-factor authentication will be mandatory for 150 million users by 2021 to provide an enhanced layer of security against threats and thus reduce the number of compromised accounts by 50%.
Conclusion
Vishing may not be a major concern for your organization, but it should be. No matter how smart or capable your company and your colleagues are, social engineering tactics are powerful enough to catch anyone off guard.
Now that you know about vishing, it is important that you share this information with your employees.
Let them know that questioning the caller and verifying information with someone through official channels can be the difference between secure data and the risk of a cyber incident or data breach.
