Companies are becoming more aware of potential cybersecurity threats and taking measures to protect their critical assets and increase security. However, one aspect of cyberattacks that often goes unforeseen (until it’s too late) is vishing, and vishing attacks are on the rise.
The U.S. Federal Bureau of Investigation amid COVID-19 pandemic. Vishing, also known as “voice phishing,” is a form of cybercrime. It uses social engineering techniques over the phone to elicit and obtain information that could be personal or confidential. Vishing sounds like it would be easy to detect. However, most cybercriminals do ample research before carrying out an attack, making their pretexts or stories seem very believable.
This was the case with a recent vishing attack involving AT&T. A man and woman accused of stealing hundreds of thousands of dollars from AT&T customers first called AT&T posing as employees. It is very likely that this is how they were able to obtain valid AT&T employee IDs. Investigators say the suspects “called AT&T customer service posing as the customer to have their service changed to a new cell phone provider. That allowed the pair to change passwords, opening the door to financial information and eventually moving money into the suspects’ accounts. More than 70 customers were victims, losing a total of half a million dollars.” This was not a simple attack. But was a complex operation involving different levels of deceit and manipulation.
What Does Vishing Involve?
Vishing is a form of social engineering that cyber criminals use to persuade an individual to give up their account credentials or personal or corporate information, or to navigate to malicious sites to install software during a phone call. Criminals will often “spoof,” or disguise the phone number, they are calling from to seem as if the call were coming from a legitimate number. Prior to executing a vishing attack, a cybercriminal may do extensive research to collect information about individually targeted employees as well as the company. This can easily be done by searching through public profiles on social media platforms, recruiter tools, and open-source research.
Once a cyber criminal has collected enough information on their target company or individuals, they can then craft a pretext or a story that sounds coherent to the target. Along with a credible story, an attacker will use triggering emotions such as fear, greed, helpfulness, curiosity, and urgency to manipulate their victim into giving out the information they seek.
Vishing Attacks Are on The Rise —Who’s at Risk?
Everyone from senior citizens to high-powered executives and corporations is at risk of falling victim to a vishing attack. It’s not a matter of not being intelligent enough to detect these types of attacks, it’s a matter of being human. Vishing attacks are specifically crafted to use human emotions to suspend critical thinking. Thankfully, there are steps you can take as an individual and as a corporation to mitigate these attacks.
Becoming well informed on how these types of attacks are performed is the first step toward protecting yourself and/or your company. The following are some ways to detect and respond to a potential vishing call:
- When receiving an unexpected call ask for the caller’s name and verify their identity before disclosing any information.
- Discontinue the call if caller asks something of you that seems unusual.
- Be suspicious if the caller is making an offer that sounds “too good to be true,” it probably is.
- Be suspicious if someone calls acting as a government agency asking for money or information. Government agencies never call you unexpectedly demanding — or offering — money.
- Be aware of “fake emergencies” where a caller claims to be a family member who is in a bad situation and needs to be wired money. Set up a password with your loved ones to verify their identity in case of an emergency.
- Do not trust a caller ID, as phone numbers can be easily faked.
Protect Your Business
If you are a business owner and you want to protect your corporation from a vishing attack, testing and training your employees is essential to your success. Your employees can potentially be your first line of defense against a vishing attack if they are trained properly. A criminal is not likely to call the CEO of a company in a vishing attack; however, they will often call employees. An attacker may call a company employee posing as a client or a fellow employee that needs help. Using social engineering techniques, an attacker may be able to obtain sensitive information. Information such as, employee ID’s, emails, dates of birth, and other pieces of data that can be used to further attacks or reset passwords on publicly facing company portals. This information can result in data breaches, loss assets, not to mention a damaged reputation.
Taking proactive steps now can help protect your organization. Including vishing as part of your security awareness programs will help discover vulnerabilities in staff behavior. It will also educate and equip employees on the nature of these types of attacks. At Social-Engineer, we provide professional corporate services and training to organizations as well as individuals. We focus on the tactics malicious attackers use to influence people via phishing, vishing, and impersonation. Our services build practical and measurable defenses that will strengthen your organization against social engineering attacks. For more information about our fully-managed services, which include human-based vishing testing (SEVS) and training, visit our website www.social-engineer.com.
Sources
https://www.zdnet.com/article/fbi-and-cisa-warn-of-major-wave-of-vishing-attacks-targeting-teleworkers/
https://www.wmcactionnews5.com/2021/04/13/bond-set-m-couple-center-elaborate-att-fraud-scheme/
https://www.social-engineer.org/social-engineering/emotions-used-in-human-hacking/