Posted on November 14, 2022
Estimated reading time 4 minutes
Scam calls have been around since the nineties, but they have become an emerging threat to enterprise cybersecurity in recent years. Since 2018, a staggering 29.2% of all mobile phone calls have been made by hoax callers. On top of that figure, 75% of scam call victims said that the perpetrators already had some of their information.
Just like its email equivalent with a similar name (phishing), vishing involves tricking victims into handing over highly sensitive company information. With vishing, attacks are done over the phone. Sometimes victims speak with a human being, whereas other attacks can use automated VoIP tools to help scammers target thousands of individuals simultaneously.
In this article, we will explore how vishing works, how it could impact you, and how you can mitigate your risk profile.
What is Vishing?
Vishing is a portmanteau of ‘voice phishing.’ Vishing attacks use a mix of publicly listed information and social engineering to get the information they want from their targets. To illustrate, an attacker may find an enquiries helpline number and submit a hoax query to get the name of a department head, a piece of address information, etc., to help them sound more credible when they attempt a secondary scam call.
In these instances, a voice phishing attack takes place over two phone calls, one designed for general information-gathering and trust-building, and a second call where the actual sensitive information is obtained.
How do Vishing attacks differ from phishing?
Vishing is strikingly different from phishing in that it affects human emotions. Phishing is an attack on the recipient’s mailbox, and the cybercriminal is hidden behind a screen. In contrast, a vishing attack has the potential to do a lot more psychological damage to its victims as they often will speak to a cybercriminal themselves, sometimes on multiple occasions.
A vishing attack can greatly undermine people’s trust in doing any business over the phone. This, of course, is bad for companies, as banning phone calls for fear of vishing attacks would create administration bottlenecks and lower confidence in a vital aspect of global commerce. Therefore, organisations must
- protect themselves from vishing attacks and do what they can to ensure that we can all continue to perform our daily work safely, over the phone.
- raise employee awareness of the dangers of voice phishing and how they can protect themselves from scam callers.
So what signs of a Vishing attack should companies look out for?
Vishing attackers can deploy various methods to steal your company’s data. However, many attacks do involve similar tactics to help criminals obtain the crucial information they need to infiltrate your systems:
- Sense of urgency: Vishing attackers often try to establish a sense of urgency in their telephone conversations. Whether they attempt to manipulate their mark by fear or greed, they will try to get the listener to hand over their information quickly. They do this by inventing a scenario that requires the victim’s urgent attention, such as ‘preventing theft’ or ‘getting a time-urgent discount’ or urgently accessing systems or data for any reason.
- Appeal to authority: Assuming the fraudulent identity of a governmental body or financial institution is another common tactic used by vishing attackers. This tactic plays to the victim’s eagerness to comply with the law or help authorities prevent something bad happening to their livelihood. Another play on the appeal to authority is to refer to a senior executive within the organisation, posing as them or as a party acting on their behalf.
- Distraction methods: Attackers can use tactics like playing the sound of a baby crying in the background of calls to distract their victims and extract confidential information. Like the sense of urgency tactic, manipulating their victim’s sense of sympathy is a particularly insidious psychological ploy that people need to be aware of with voice phishing scams.
- Blame shifting: Posing as an IT department is another authority figure a scam caller might use to trick a target. In these cases, posing as an IT employee, the criminal might ask the recipient to update their password or account information over the phone to prevent a ‘virus’ from taking over their systems. If the recipient refuses, the criminal may try to shift the blame of an attack back on the victim as a form of blackmail.
- Random gifts/prizes/credit: If you get a call from someone who says that you have won a lottery, gift cards, or money off vouchers, be wary, it is a common financial hoax method. These callers are likely to ask for account details so they can ‘helpfully’ send you your prize without you having to lift a finger. From there, they can use the financial data to steal from you or commit fraud. A more subtle variation on the random gift scam call is the ‘pre-approved for a loan’ ruse, which works in the same way, asking for critical account information they can use to reset information or steal from you.
How managed security services like Atech can prevent Vishing attacks on your systems
1. Security teams must remain constantly vigilant of vishing attacks, and organisations must offer their employees training to ensure their information’s safety on all phone calls.
2. Maintain company confidentiality by performing due diligence checks on callers.
3. Research callers’ credentials and call legitimate authorities back if you need to enquire about information received from external sources.
4. Finally, and most importantly, don’t give away ID, passwords, account information, or any sensitive data over the phone.
Don’t be intimidated; hang up the phone, verify information and take the appropriate steps. While it starts with awareness, you can mitigate scenarios where your sensitive data is at risk by having sufficient controls in place. The pandemic has challenged every business to evolve their security practices and the emergence of new types of threats ensures that the complexity, ferocity and frequency of attacks shows no signs of slowing down.
We believe the cyber security enables the success of your business by enhancing innovation and productivity in a safe and resilient environment. This is why we recommend you seek the help of an expert managed security service provider or SOC services like Atech, who continually studies the latest cyber attack methods and technologies to keep enterprise systems from harm.
We can analyse your current security posture and offer highly tailored organisational training on vishing attacks and more in the form of 1-2-1 workshops, attack simulations , and practical steps to help ensure the integrity of your data.
So, if you would like to learn more about our advanced cyber protection managed services and how they can help your company, please don’t hesitate to contact us.