Vishing is a common method of social engineering. Think about how many times you've received an offer over the phone that sounded too good to be true. For instance, just last week I listened to a voicemail from a relative insisting that legal action was being taken against the call recipient. The voicemail urged the recipient to take action immediately by calling the phone number back. Just this morning I read a text stating that an interested party wanted to wire money to purchase a car listed for sale locally. Instantly, I knew the person must be using the online sale site as an opportunity to prey on innocent victims. Also, vishing doesn't just happen at home, it happens in the workplace.
What is Vishing?
To explain, vishing is the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.
Types of Vishing Attacks
Remember the story of the Burger King employee receiving a vishing call urging them to break the store windows so that the store could be ventilated from a gas leak? Think about how smooth the attacker must be on the phone and how well planned the call was. Due to the attacker's high skills, he/she actually convinced the store employees to follow through with breaking the windows.
In addition, there's an interesting video that comes to mind when Kevin Roose invited social engineer hacker Jessica Clark to call his phone company and use vishing to gain access to his account. Not only did she gain access, she changed his password and locked him out of his own account. Within 30 seconds, she used a video of a crying baby in the background to sound like a distressed mother who needed assistance. In this case, the phone company's employee was a weak link.
Some vishing attacks offer guaranteed income or employment after paying an upfront fee. Remember if an offer sounds too good to be true, it probably is. In addition, attackers will offer a prize or free item but first the call recipient must provide bank account details to pay for shipping. Also, tax season is a prime time for hackers to call and use scare tactics pushing the need to act immediately to prevent penalties. The voice mail will urge them to call back and the scammer will try to retrieve personal information.
Tips to Stay Secure
- Cross reference any phone numbers from suspicious voicemails with the organization the caller is claiming to be with.
- Do not take phone calls from unknown numbers.
- Know that banks and government institutions will never ask for personal information over the phone.
- Keep in mind that government institutions almost always communicate by mail.
- Never give personal information out over the phone to someone you do not know.
Where to Report the Vishing Attacks
Federal Trade Commission: 1-877-382-4357
IRS Imposter Scams: 1-800-366-4484
Protect your Employees
Because hackers are very sophisticated, they use a variety of methods to complete their attacks, including vishing, a form of social engineering. Unfortunately, everyone is a potential target for an attack. Even more concerning is that cyber criminals seem to recognize that employees are the easiest way to access private information. Employees must be given the knowledge to make security-conscious decision when faced with a potential cyber attack. The best way is through a robust security awareness training program.
Learn more about how Techguard Security can build a customized security awareness training program for your organization.