Vishing is a common method of social engineering. Think about how many times you've received an offer over the phone that sounded too good to be true. For instance, just last week I listened to a voicemail from a relative insisting that legal action was being taken against the call recipient. The voicemail urged the recipient to take action immediately by calling the phone number back. Just this morning I read a text stating that an interested party wanted to wire money to purchase a car listed for sale locally. Instantly, I knew the person must be using the online sale site as an opportunity to prey on innocent victims. Also, vishing doesn't just happen at home, it happens in the workplace.
What is Vishing?
To explain, vishing is the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.
Types of Vishing Attacks
Remember the story of the Burger King employee receiving a vishing call urging them to break the store windows so that the store could be ventilated from a gas leak? Think about how smooth the attacker must be on the phone and how well planned the call was. Due to the attacker's high skills, he/she actually convinced the store employees to follow through with breaking the windows.
In addition, there's an interesting video that comes to mind when Kevin Roose invited social engineer hacker Jessica Clark to call his phone company and use vishing to gain access to his account. Not only did she gain access, she changed his password and locked him out of his own account. Within 30 seconds, she used a video of a crying baby in the background to sound like a distressed mother who needed assistance. In this case, the phone company's employee was a weak link.
Some vishing attacks offer guaranteed income or employment after paying an upfront fee. Remember if an offer sounds too good to be true, it probably is. In addition, attackers will offer a prize or free item but first the call recipient must provide bank account details to pay for shipping. Also, tax season is a prime time for hackers to call and use scare tactics pushing the need to act immediately to prevent penalties. The voice mail will urge them to call back and the scammer will try to retrieve personal information.
Tips to Stay Secure
- Cross reference any phone numbers from suspicious voicemails with the organization the caller is claiming to be with.
- Do not take phone calls from unknown numbers.
- Know that banks and government institutions will never ask for personal information over the phone.
- Keep in mind that government institutions almost always communicate by mail.
- Never give personal information out over the phone to someone you do not know.
Where to Report the Vishing Attacks
Federal Trade Commission: 1-877-382-4357
IRS Imposter Scams: 1-800-366-4484
Protect your Employees
Because hackers are very sophisticated, they use a variety of methods to complete their attack including vishing, one form of social engineering. Unfortunately, everyone is a potential target for an attack. Even more concerning is that cyber-criminals seem to recognize that employees are the easiest way to access private information. Allow TechGuard to provide your company with a free social engineering consultation to meet your needs. TechGuard offers several corporate services to help with social engineering as well as our S.H.I.E.L.D. Cybersecurity Awareness Trainings.
Written by Michelle Stamps
Michelle has over 10 years of experience in marketing and business development across various industries including government and non-profit. Her background in writing, facilitating presentations and event planning allows her to use her creative skill-set and her relationship building skills strengthens her ability to understand the human element role in cybersecurity and to support positive behavior change. Whether she is out in the community, blogging or developing the next social post for TechGuard, she believes in telling the company’s story and uses relatable, real-life examples to connect with our clients. If you know Michelle outside of work, you would know that she loves sunny days and tropical places.