Less of a cyber security threat and closer to a scam, vishing refers to attempts to steal information or money over the phone by convincing the victim. These calls often use personal data acquired through previous cyber attacks to gain their victim’s trust. A 2019 report by Orion Trends determined that 75% of scam callers already had their victim’s personal information before calling them
The most common type of vishing is impersonating an authority figure such as a government official, client, or coworker. The scammer’s goal is to obtain sensitive information such as a social security number. Still, these calls can become global threats if the victim is convinced to provide something with wider ramifications, such as a computer password.
In rare cases, the scammers will attempt to convince the employee to wire money or pay for a fake invoice to steal the company’s funds. No matter the goal or method used by the scammer, the only way to foil these attacks is by proper user awareness programs.
This article will look at seven common examples of vishing and explain them thoroughly, so your users don’t fall into the trap.
Through computer software, these attacks feed a prerecorded call to every phone number in a specific area code. The automated voice asks the victim to state their name and other information. The answers are recorded and used to steal money or open fraudulent credit cards.
Thankfully, these calls are becoming so common that most people know them and hang up when they receive them. Another telltale sign of these attacks is international or blocked numbers since the scammers have to regularly cycle numbers to keep authorities off their trail.
While VoIP is a great technology that has allowed for fantastic business innovations, scammers can easily create fake numbers to carry out attacks. This technique can be combined with a robocall but is often carried out by human callers.
The best way to thwart these calls is by asking for more information to be sent via email, where attacks are easier to detect, or by asking to carry out the rest of the call in person since the attacker won’t be able to do it.
3. Caller ID Spoofing
This kind of attack can be especially pernicious because it uses software to fake a legitimate caller ID. Scammers will usually try to pass for an institution such as a tax agency, police department, or hospital to create urgency and get the victim to surrender information they usually wouldn’t.
These attacks are hard to spot, and the best way to evade them is the same as with VoIP by taking the call to another medium. Certain phones and physical security measures can detect these fake caller IDs and automatically reject them.
4. Dumpster Diving
As the name says, these attacks are carried out using information gathered through a business’ trash. Official company documents often contain enough personal information to carry out a successful vishing attack.
The best way to counter dumpster diving is simple. Every company should shred all sensitive company documents before throwing them out. Whether using an external company or buying shredders for the office, it’s a worthwhile investment considering the potential risks.
5. Tech Support Call
This attack is widespread in large companies where employees might not know or have met members of the tech support department. Scammers will pretend they need to do a computer update or repair and ask for the victim’s password to do it.
Education is key to beating these attacks. Frequently remind users that you will never ask them to divulge their password over the phone and that they shouldn’t do so under any circumstance.
6. Voice mail scam
This one is a bit different and involves voice mail notifications. Many smartphones and apps like WhatsApp send emails to their users to notify them of stored voicemails. These emails will contain a link to listen to a voicemail. These fraudulent emails will then link to a bogus voicemail recording but lead the user to a website that downloads malware onto their device.
This scam can be evaded by ensuring users are adequately trained to notice phishing emails. These emails often have spelling mistakes, improperly sized logos, and aren’t sent from official domain names.
7. Client Call
Often done by finding old invoices via dumpster diving, scammers perpetrating these attacks will pretend to be your company’s client and ask for an invoice to be paid. They’ll rely on a sense of urgency to convince the victim to wire funds to them to steal company money.
This scam is an excellent example of why every company should have a two-person approval for any invoice payment or wires. That way, another person not involved in the attack has to review the process and can detect fraudulent attempts.
Education Is Key
Vishing is definitely on the rise. The best way to counter this scam is by making sure your users are aware they exist so they can recognize them. Vishing simulations are just as simple as phishing simulations and should be a core part of your cyber security awareness training campaigns.
The best way to see if your organization is at risk will always be to run some tests and adjust your defenses accordingly.
Cyber Security Hub: Access Exclusive Cyber Security Content
Take advantage of our free Cyber Security Hub – it is your one-stop cyber security awareness and knowledge center with one-click access to our COVID-19 Kit, Work From Home Kit, Password Kit, Phishing Kit and more.