Skip to main content
Vishing

Have You Ever Received One of Those Calls?

By February 20, 2019No Comments

Have You Ever Received One of Those Calls?What Is Vishing?

We define vishing as the “practice of eliciting information or attempting to influence action via the telephone.” Similar to phishing, the goal of vishing calls is to obtain valuable information that could contribute to the direct compromise of an organization by exploiting people’s willingness to help, fear, or curiosity. You may recognize these as calls from “tech support” or the “IRS” and even “your credit card company” asking you to confirm or correct information. You may have even heard “hackers in your area trying to hack your computer right now.” Have you ever received one of those calls? 

Who Uses Vishing

The motivations of many real-world vishing attacks are typically related to either financial gain or identity theft. That’s not to say those are the only motivations, but many reported attacks fall into those categories. The “tech support” scam mentioned above is out to either compromise your computer directly or fix a non-existent problem then charge you a fee for the “work.Another example is just to capture your login details while they help you check for a problem, no malware needed for that. In fact, they use very legitimate remote access software that may be whitelisted from antivirus products. 

Due to the ease at which phone numbers can be spoofed, or forged, makes it difficult to track down the actual origin of these attacks. This gives the attackers a sense of protection that, even if it doesn’t go as planned, they will not suffer any consequences for trying. 

With phishing, email accounts can be terminated by providers and possibly traced back the users logging in, but a spoofed phone calls leave very little to look at from a defensive or enforcement standpoint. 

Is Vishing a Viable Attack Method

Based on the sheer number of news stories about phone scams, it would seem like vishing is working for the attackers. It is a low-cost attack and even if one or two targets out of 100 fall victims, it pays for itself. So short answer, absolutely it is a viable attack that is put to use every day.  

Now if we just look at raw data, we can see a number of trends where businesses are at risk from this attack vector. SECOM’s own Chris and Cat made a great presentation at DerbyCon 8.0 that described the most successful attacks we have seen in three years’ worth of data we collected while helping our clients. 

Notable is the Open Enrollment theme of attack which, according to their data, has a 100% compromise rate, followed closely by the IT Update (80%) and HR Portal (72%) themes. These are pretexts we used against our clients to show them how we can elicit valuable data from users via vishing calls.  

They also showed that female callers are much more likely than male callers to compromise targets of either gender (63% to 48% respectively). 

Is All Vishing the Same?

While it may seem like an easy question to answer, there are a remarkable number of reports of vishing attacks that sound very similar. There is a lot of intimidation and urgency employed by attackers where the storyline they are playing out can be repeated via a script. Whether it is tax liens that don’t exist or debts that the targets didn’t know about until that call, fear is a major playing card used in their attacks. It is so structured that some attackers don’t even use people to perform the attacks and instead use robots to effectively do their dirty work. 

Here at SECOM, we employ only real, actual, human beings to do our testing for clients. While a robocall solution may save security budget money, think about how many times you willingly talk to unsolicited calls from robots, especially when they may be asking for sensitive information, compared to speaking to an actual human who may be able to further explain ‘why’ they are calling. You can see examples of, or make your own, real-world, live human, vishing calls at the annual SECTF at DEFCON conference in Las Vegas. 

What Can You Do About Vishing Attacks?

From a business perspective, it really comes down to some very common themes in defense: Train your employees on the dangers of the attack vectors. We would not recommend just computer-based training (CBT) for this training either, but interactive, engaging, targeted training to employees in all facets of your business. Then, you need to test that training. Again, we would not recommend just CBTs for testing, but actual live testing, by having your employees receive calls from trained professionals able to test your users in the moment, just like an attacker would.  

In addition, have clear policies and procedures in place and available to all employees on how to handle these types of calls that put them to the test. The users need to have direction or else their emotional brain is going to take over and will likely result in compromise. Only with a plan that is well communicated can they critically think at that moment and know what they are supposed to do, regardless of what the caller is asking or telling them to do. 

So, have you ever received one of those calls? What did you do in the moment? Hopefully, now that you are aware, you will see the ruse and hang up without giving any useful information to the attacker, robot or human. 

Sources:
https://www.social-engineer.org/framework/attack-vectors/vishing/
https:/www.northernstar.com.au/news/20k-stolen-in-phone-scam/3624610/
https://www.smh.com.au/business/small-business/scam-losses-hit-2-8-million-as-police-tax-board-impersonated-20190110-p50qk9.html
https://www.irongeek.com/i.php?page=videos/derbycon8/track-1-00-irs-hr-microsoft-and-your-grandma-what-they-all-have-in-common-christopher-hadnagy-cat-murdock
https://www.fresnobee.com/news/business/article223835995.html
https://www.social-engineer.org/sevillage-def-con/the-sectf/
http://www.www.social-engineer.com/vishing-service/
Image: https://www.pbscompany.com/beware-of-vishing-attacks/ 

Tags:

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now