By: Evan Morris
June 23, 2022
How Can Cyber Experts Help You Prevent Vishing Attacks?
By: Evan Morris
June 23, 2022
Social engineering attacks are becoming more sophisticated, and the number of phishing attempts is especially growing each year. In 2021, 69% of companies have reported that they have been targets of a vishing scam — a ten percent increase compared to the year 2020. Even worse, according to Phishlabs, over the course of 2021 the overall reported increase in vishing attacks more than quintipled, reaching a record high of 554% in volume.
Especially with the influx of remote work and growing shift to cloud workspaces since 2020, companies have digitized a lot of their services. They make their clients’ lives easier by enabling access to services, either online or via a phone call. This is why we are talking to more automated support systems these days when we renew prescriptions and call to request customer service.
While these digital conveniences have cut the time that clients have to wait in a queue to access the services they need, it has also created new opportunities for scammers.
One type of social engineering, known as vishing, has been on the rise because of this shift. Criminals have been using it to exploit unsuspecting victims and gather their sensitive information.
What is a vishing attack exactly, and how can you help companies and individuals to protect themselves from this type of scam?
What is Vishing?
The research that examined employees’ familiarity with vishing revealed that more people know about this type of scam now than ever. When asked in 2021, 63% of employees knew what vishing was. The year before, 53% of employees recognized it.
Therefore, to prevent vishing, it’s important for people to know what it is because this might help them to recognize the scam.
So, what is vishing, exactly?
Vishing is a social engineering attack where criminals impersonate authorities over the phone. For example, they might imitate a bank employee, a medical worker, or someone from an IT team.
Similar to email-based phishing scams, vishing attacks leverage the age-old art of persuasion to "fish" for a targeted individual's sensitive information. Adversaries will use that information for more sinister objectives to fraudulently obtain a victim's money or steal their identity.
Although vishing is a voice scam that relies on a phone call, the first step in this attack may not be to call the victim directly but to send multiple SMS messages, usually requesting urgent action. This attack, on its own, is technically known as “smishing” and refers to a conjunction of “phishing” and “sms”. Once the victim reads the message, they’re expected to call the number of the criminal and solve the issue.
Such messages often lead to automated voice messages or interactive voice message systems (known as IVRs) that resemble robotic calls widely used in customer service. They seek to establish trust with potential targets by mimicking these familiar, trusted voice messages.
The victim has to follow the instructions described in the voice message. The steps they’re required to take could redirect them to “customer service,” behind which is a scammer, or to a website that gathers data from the user.
Common Signs That Point to Vishing
Not all vishing attacks are the same, some are easily recognizable and others more refined.
Some dead giveaways of a vishing attack are:
- The overwhelming sense of hurry and urgency — scammers want money transfers or personal data right away, before you even have a chance to check if they are legit or second guess their demands
- Strange requests such as money transfers — most vishing attacks attempts are financially motivated
- Demands that your bank would never ask you to do — such as to give away your credit card PIN or make a wire transfer
Many vishing attacks utilize scripts that are easy to recognize. However, attackers that are a bit savvier might know more about their victims. They might use the information they research about victims or even to gain trust or even use the data they have on their family, work colleagues, partners, or friends. This targeted type of attack is known as spearphishing in email form.
They create distress and evoke strong emotions of fear. It’s common for scammers to convince victims that they’re in danger and pressure them to react urgently to avoid losing money.
They might also spoof their caller ID to show the name of a bank or IRS.
To prepare individuals or companies for a possible scam, cover the essentials in basic training about vishing. Familiarize them with the most common signs of vishing and explain steps they can take if they do receive or answer a vishing call.
Employee training regarding scams such as phishing and vishing will keep employees aware and alert. If they’re familiar with the scam, they’ll recognize similar social engineering attempts and know what to do in case of a scam.
Remind them not to answer calls associated with a specific phone number prefix known to be that of a scammer. Phone calls from foreign countries or even unknown telephone numbers can conceal a scammer on the other end of the phone.
In case they do answer the phone, remind them that they can’t be hacked just by answering the phone call itself. Reassure them that they’ll be fine as long as they don’t hand over their personal information or transfer money.
Give Instructions on What to Do if They’re a Victim of a Vishing Attack
Victims might realize they’re being scammed after they pick up the phone. In a panic, if they believe their finances might be in jeopardy, people might hand over their sensitive information.
What should they do if they get a phone call from a scammer and pick up the phone? Is it the best choice to hang up or stay on the line?
The best they can do is to hang up as soon as possible. After that, it’s important to submit the phone number to a site that lists known numbers of such scammers or to report the crime.
Also, to avoid unwanted calls in the future, they can register their number on the National Do Not Call Registry, which blocks telemarketing calls.
Teaching potential victims to be alert and knowing what to do during a potential scam goes a long way in staying safe, because they’ll have a good idea of what to expect and avoid being roped in.
If they’re ready for a vishing attempt, panic is less likely to take over once they get that dreaded phone call — even if the scammer claims to be a bank representative or one of their company managers.