Vishing, or voice phishing, is a type of cyber-attack that utilizes telephone devices in order to deceive targets and convince them to reveal sensitive information or data, such as bank account details.
How does vishing differ from traditional phishing?
While traditional phishing relies on email messages being sent to a large number of targets, vishing attempts are exclusive to voice and telephone technology.
Threat actors will typically utilize social engineering tactics to convince targets that they can be trusted, for example masquerading as a family member, their bank, or a government entity. One method frequently use by vishing actors is to intimidate their victims, convincing them that they may face monetary fines or jail time if they do not provide sensitive information.
How does vishing work and how do vishing attackers gather information about their targets?
Vishing attacks typically begin with the threat actor conducting research on their target(s) to learn personal details about them that could be leveraged in social engineering tactics. Actors will often begin by sending emails that attempt to induce targets to respond with their phone numbers. They will then proceed to call the target and play on human instincts such as fear and greed, or even use voice altering software to masquerade as a friend or family member, in order to convince them to divulge sensitive information. If successful, threat actors can gain unauthorized access to bank accounts and carry out fraudulent transfers.
Types of vishing
Just like regular phishing, there are several different types of vishing attack.
This refers to the use of software to automatically call a large number of phone numbers within a specific area code. Threat actors often leave automated messages or voice mail requesting sensitive information, such as bank details or social security numbers.
Voice over IP (VoIP)
VoIP is another type of vishing attack in which a threat actor creates a fake phone number in order to imitate a trusted entity or person, such as a government representative or family member, to try and manipulate them into revealing sensitive details making a fraudulent payment.
Caller ID Spoofing
Caller ID spoofing refers to a threat actor attempting to present their caller ID as a known or legitimate caller in order to achieve their nefarious goals.
Dumpster diving refers to threat actors literally searching through dumpsters behind banks and offices to find phone numbers and enough personal information to deliver a targeted spear vishing attack against individuals.
How to recognize and prevent vishing?
Vishing attcks often attempt to utilize social engineering techniques to appeal to the human instincts of their targets, such as fear and greed or a desire to help out a family member in need. If they are unsuccessful in their initial attempts, vishing actors often resort to forceful language and intimidation to pressure their victims into divulging information or making monetary transfers.
How can individuals protect themselves from vishing attacks?
Remember that legitimate entities and organizations will never ask for personal information over the phone. Be wary about calls from unknown numbers and do not answer any questions about personal information over the phone. Be aware of language that attempts to take advantage of human behavior like fear, greed and trust – this could be indicative of social engineering attempts.
What are the challenges and mitigation strategies organizations have with vishing attacks?
Threat actors often target employees within organizations to obtain sensitive corporate data, from company banking details to corporate credentials that could be used to gain unauthorized access to an organization’s network. Organizations should hold regular training session for their employees on general cyber hygiene, including vishing attacks and the tactics that threat actors could use. Additionally, a reporting system should be in place so that employees can report a suspecte vishing attack to their internal security team.