Social engineering is the number one method used by threat actors to collect sensitive data or gain access to systems and networks. According to some security professionals Voice Phishing (Vishing), has a success rate of 37%, but this increases to 75% when combined with email phishing.

 

Further, a recent spear vishing attack, or targeted attack, against Twitter highlights the growing concern. Threat actors were able to gain access by manipulating a Twitter employee into providing access to internal tools. With this access, the threat actor was able to control thousands of prominent accounts such as Bill Gates, Joe Biden, and Beyonce.

 

In this article, I’m going to explain what vishing attacks are, the common types of scams used by threat actors, how you can identify a vishing attack, and steps your business can take to prevent an attack.

 

Article Navigation

 

• What Is Vishing?
• What’s The Difference Between Vishing And Phishing?
• Why Are Vishing Attacks Performed?
• What Are the Most Common Vishing Scams?
• How To Identify A Vishing Attack
• What Steps Can You Take To Prevent A Vishing Attack?
• How Do You Recover From A Vishing Attack?

 

 

What Is Vishing?

 

Vishing is a social engineering attack that attempts to trick victims into giving up sensitive information over the phone. In most cases, the attacker strategically manipulates human emotions, such as fear, sympathy, and greed in order to accomplish their goals.

 

 

This form of attack has been around since the early 2000’s, but has become increasingly prevalent in part due to the upward trend in the amount of people working remotely today.

 

Vishing sounds like another social engineering attack that is common in corporate environments, phishing. Vishing is actually a combination of two words, voice and phishing.

 

So what’s the difference between vishing and phishing?

 

What’s The Difference Between Vishing And Phishing?

 

The primary difference between vishing and phishing is the method of attack. In reported cases today, a phishing attack is initiated by a targeted email to a specific person in a corporate environment.

 

Phishing

 

In the phishing example below, the external email source and subject are crafted to appear legitimate. The recipient of this email may receive hundreds of emails a day from business partners and co-workers on various subjects.

 

 

The COVID-19 pandemic is a main topic of conversation today, therefore, the subject of the email containing the words ‘COVID-19’ would appear to be normal and relevant information for the business.

 

Therein lies the danger, the attacker cleverly embeds a malicious web link in the body of the email, inviting the person to click on the link as noted in the example. The unsuspecting employee does not notice that the sender’s email address is different from the company’s email.

 

Vishing

 

Vishing on the other hand uses a different attack method. Instead of an email, the attacker carries out the attack via a phone call – landline or mobile.

 

In this form of attack, the cybercriminals primarily utilize VoIP (Voice over Internet Protocol) technology to create spoofed phone numbers as well as phony caller ID’s to misrepresent their identity.

 

Both phishing and vishing attacks are highly effective, however, the vishing attack appears to be the preferred method of attack today.

 

Let’s put this in perspective to better understand the attack surface for vishing and why it is so effective today.

 

According to a current global data report, there are 5.15 billion unique mobile phone users in the world. Global VoIP statistics are projecting upward trends in this technology as well in the next few years.

 

As the demand for instant collaboration coupled with the accessibility of mobile phones domestically and globally, this has created a prime target for cybercriminals to carry out malicious activity.

 

Cybercriminals are using this vast attack surface to manipulate VoIP technology by carrying out real time or recorded conversations over the phone – billions of possibilities, opposed to waiting for someone to click on an embedded malicious link in a typical email phishing attack.

 

Why Are Vishing Attacks Performed?

 

According to recent reports, the primary motivation behind vishing attacks is to obtain sensitive financial data from an organization or personal data of the person taking the call.

 

The NSA reported recently in a COVID-19 article that a foreign country was allegedly attempting to gather COVID-19 vaccination formulas. The foreign country denied the accusation, however, it’s noteworthy that cyber-attacks usually originate outside the borders of a country.

 

The NPR article did not specifically state if the attack was phishing or vishing, but the motivation would have been to compromise sensitive documents or data for financial gain.

 

What Are The Most Common Vishing Scams?

 

Scammers today are master opportunists. As noted in the vishing attack examples, thieves want something you have of value, i.e. your banking information, credit cards or social security numbers.

 

If they are unable to entice their victims with something tangible, they will prey on your emotions by focusing on a current world event or natural disaster. At this point in history, the COVID-19 pandemic, fires, storms, and social unrest are the major topics today and are used by attackers to carry out vishing schemes.

 

A popular Security Magazine recently published information regarding the COVID-19 pandemic and vishing attacks. They reported that the FTC since January 2020 until mid-April, they received 18,235 reports related to COVID-19, and people reported losing $13.44 million dollars to fraud.

 

Another common vishing scheme happens once a year around tax filing time.

 

You guessed it, IRS phone or vishing scams.

 

IRS vishing scams are usually aggressive in nature and prey on unsuspecting taxpayers’ fear that they are in tax payment trouble and need to rectify the situation immediately with the caller.

 

As noted in the outset of this article, attackers are taking advantage of remote teleworkers.

 

Since many workers are not within the physical workplace environment, this makes the remote employer susceptible to phony callers disguising themselves as technical support looking to help you fix a problem that doesn’t exist.

 

In the state of Georgia, a vishing attack made the local news that involved law enforcement. The spokesman for law enforcement revealed this information to the public:

 

 

This case sounds eerily similar to an incident a colleague revealed at their business. A corporate user received a phone call from someone claiming to be from IT support.

 

The user-provided the caller access to her PC. The fake support person remoted in to the PC and downloaded malware.

 

The user quickly came to her senses after noticing strange applications installed on the machine. They ended the call and the employer immediately called their real corporate tech support to inform them of the activity.

 

In the news article and in this case, the attacker used the phone to perform their nefarious activity, under the guise of a technical support representative.

 

How To Identify A Vishing Attack

 

Recently, I received an urgent recorded call by someone claiming to be from some government entity.

 

The recording stated that law enforcement was notifying me that my Social Security number had been stolen. The message paused briefly and placed me on hold with an option to continue the support call.

 

This call was ended during the pause.

 

Last year, a support person claiming to be from a well-known Cable Provider called to offer me free services. All I needed to do was to go purchase a gift card and give them the card number in order to receive free services for 6 months.

 

I was caught off guard for a moment because I did use the cable service and it did sound like the call was from a real support center since they knew my name.

 

I thought for a minute, why would my cable provider request me to purchase a gift card. Well, because they would never do this.

 

I was almost a victim of a prepaid card scam, which is a known vishing attack.

 

 

In order to avoid becoming a vishing attack victim, understand the characteristics of the attacker and their behavior.

 

Be leery of threatening callers from local numbers that calls repeatedly during the day, or robotic voice calls that leave unsolicited messages.

 

What Steps Can You Take To Prevent A Vishing Attack?

 

If the identity of a person on the other end of the phone call sounds mysterious and has an offer to good to be true, proverbial red flags should start waving in your mind immediately.

 

Attackers also use auto dialers to randomly call their potential victims. One tip of an auto dialer is to listen for a two-second delay before a live person speaks. When the person comes on the phone, they usually offer to either sell or offer you something if you surrender something personal about yourself or your company.

 

If you own a mobile phone, check with your provider to determine if they offer call blocking for unsolicited phone calls. If you own a land line, caller blocking is offered by most of the well-known carriers.

 

Another option to block unsolicited calls is to purchase a device known as Call Blockers or register your phone numbers with the National Do Not Call Registry.

 

In summary, below are a few steps that you can implement to prevent yourself from becoming victimized by a vishing attack:

 

• Use mobile apps to block callers
• Don’t pick up the phone
• Hang up immediately if the caller sounds suspicious
• Verify the caller’s identity – obtain name and organization web address
• Establish strict security policies for wiring money or updating payment information
  • E.g. require offline confirmation before sending money requests
• Conduct regular vishing exercises
• Follow-up with security awareness training for staff
• Enroll in an Identity Theft Protection service

 

How Do You Recover From A Vishing Attack?

 

Recovering from a vishing attack depends on the nature of the attack and what was compromised. If you are a remote teleworker who logs into a corporate environment from a company issued device, notify your Security Department immediately of the activity.

 

They will request a detailed summary of the interaction between you and the attacker and advise on what to do next.

 

In most corporate environments, there may be a dedicated Incident Response team who will provide guidance on the next step in the process, particularly in the case if corporate sensitive data is involved.

 

If the attack occurred on your personal computer, ensure your anti-virus is up to date and change your password. If you mistakenly gave the attacker your financial information, contact the institution for guidance on how to protect your data.

 

If you suspect your credit information has been compromised, immediately contact the credit bureaus to freeze your credit or request their guidance on recovery steps.

 

Conclusion

 

Vishing attacks, like phishing attacks will continue as long as the opportunity for compromise is available and financial gain is the motivation for the cybercriminal.

 

The best attack for a criminal desiring to exploit sensitive information that belongs to you or your company is to understand the attacker and method of attack. This article has provided details and statistics of the tactics used by cybercriminals. Their main ploy is the development of schemes used to exploit basic human tendencies and emotions for their financial gain.

 

Remain vigilant in protecting your personal information and that of your employer. By following the simple precautionary steps and recommendations outlined in this article, you will be in a position to recognize and prevent becoming the next victim of a vishing attack.

 

Related Articles

 

• What Is A Smishing Attack? (And How To Prevent It)
• Social Engineering Penetration Testing: Attacks, Methods, & Steps
• How To Identify, Prevent, & Remove Ransomware Attacks
• What’s The Difference Between Phishing & Whaling Attacks?
• Vulnerability Scanning VS Penetration Testing: What’s The Main Difference?