What Is a Vishing Attack?
Vishing, a voice phishing attack, is the fraudulent use of phone calls and voice messages using social engineering techniques to convince individuals to reveal private information such as bank details and passwords. A vishing attack can also be used against businesses when attackers pretend to be internet service employees to gain access to that business’s passwords and information.
The goal of a vishing attack is to convince the target to provide information the attacker can use for financial gain. This can range from stealing a credit card to stealing an individual’s identity. The goals of vishing when targeting a business are similar — for financial gain — but are often more interested in gaining information about security measures for future attacks.
Learn More
Phishing vs Vishing vs SMiShingPhishing: Umbrella term that describes attacks that impersonate a reputable person or organization with the intent to steal credentials or sensitive information. The most popular form of phishing is email phishing, which many times target CEOs and compromise business email accounts.SMiShing: Type of phishing attack that interacts with its victims through fraudulent text messages.Vishing: As explained above, it is a type of phishing attack that interacts with its victims through phone calls and voice messages.
How Does a Vishing Attack Work?
A vishing attack tends to follow these 3 steps:
1. Garner Phone Numbers
Typically, this happens through other phishing methods or by reaching private data stored by businesses where people are likely to have given their phone numbers, such as restaurants or retail stores. Sometimes attackers will use software that calls multiple people using a phone number with the same area code hoping someone picks up, confirming their number. When a vishing attack occurs the caller ID profile is fake, making the call seem to be from a local area code or a trusted organization such as a bank.
2. Garner Trust
Whether pretending to be a credit card company, a delivery business or a utility service, the deception is designed to garner trust. This is often combined with an urgent request such as, “an unauthorized user has used your credit card, confirm your identity now to stop charges.” The goal of these urgent messages is to panic the potential victim into responding without confirming the information.
3. Retrieve Personal Information for Financial Gain
If the vishing attack is successful, the attacker will then use the retrieved personal information for financial gain. This could be using a stolen credit card number for purchases or even filing for a new credit card. With the right information, an attacker can steal your identity or empty your bank accounts. Being able to recognize a vishing attack can help prevent attackers from stealing your money.
How To Recognize Vishing Attacks
To recognize a vishing attack you need to understand the ways attackers will try to deceive you and what their goals are. Knowing things that might make you a target, such as a recent technical issue at a business or suspicious emails, can help you keep up your guard. Vishing attacks are designed to get private information and can target individuals and businesses. Being able to recognize a vishing attack in progress is your best defense.
Signs of a Vishing Attack
- The main warning sign of a vishing attack is the caller asking for your information. Some attackers will already have partial information and use that to convince you to share what they don’t know. Always be wary of a caller asking for bank account information, your social security number or other identifying details.
- Use of psychological tactics like fear, greed, and a sense of urgency. Threats of imminent arrest or urgent problems with your account are designed to make you act before verifying. Keeping calm when these calls happen and hanging up are the main ways to avoid vishing attacks.
- Calling in regards to account issues or technical support. Many times messages will inadvertently pop-up on your computer stating your device is infected and to call a toll free number pretending to be technical support.
Learn More
Who Are the Main Targets of Vishing Attacks?When targeting a business, vishing attacks focus on new employees, human resources departments, IT departments and call centers. New employees and employees responsible for making calls to other organizations are at higher risk of being targeted. Vishing scammers will often pretend to be technical support and try to convince someone to provide access to computers. Sometimes these attackers will have potential victims install software with malicious code to gain further access to the business.When targeting an individual, vishing attacks often focus on average consumers who are likely to have an account with a major bank or delivery service. Vishing attacks will often be vague on details to avoid revealing the attacker’s fraud. After all, convincing someone that their bank account is at risk doesn’t work if they name the wrong bank. Attackers will use fear, greed and panic to stop you from recognizing these attacks.
5 Types of Vishing Attacks
| Types | Description |
|---|---|
| 1. Wardialing | In a wardialing type of vishing attack, cybercriminals call specific area codes and use an automated message to instill fear in victims. They pretend to be a local bank, business or police station calling to verify that their accounts have not been compromised and typically ask for sensitive information like mailing address, bank account information, and even social security numbers. |
| 2. VoIP | VoIPs are one of the hardest vishing techniques to identify because cybercriminals hide behind a fake number. These numbers are typically 1800 numbers or fake numbers with the local area code. |
| 3. Dumpster Diving | Dumpster diving is a technique not many think is used, but it’s exactly as it sounds. With this technique. Criminals search dumpsters behind banks or other important organizations to gather enough information to conduct a targeted attack towards a victim. Potential information they can gather includes type of account information, phone number, or email and proceed with social engineering techniques with the attack. |
| 4. Caller ID Spoofing | This type of vishing attack is similar to VoIP, with the difference that the caller id, instead of showing a number, shows a message “IRS” or “Police Department”. |
| 5. Technical Support | Scammers will pretend to be someone from customer support from big companies like Apple, Microsoft, or Bank of America. It is important to remember that banks will never ask you for personal information such as social security numbers over the phone. |
Avoiding and Preventing Vishing Attacks
The most important action to take to avoid vishing attacks is to keep your cool, and not divulge private information. This strategy works well against vishing scammers because it stops their attack in its tracks. For a business, there are additional steps you can take to make sure employees take the right actions to protect the business. Preventing a vishing attack can be as simple as hanging up the phone, but there are additional measures to help avoid them.
4 Tips to Avoid Vishing Attacks
- Keep Information Quiet: Don’t divulge login information and passwords, never share passport or driver’s license information. This will keep your accounts and identity safer.
- Join National Do Not Call Registry System: his is a free service that removes your phone number from unsolicited phone call lists. While vishing attacks don’t follow this list, unknown callers are less likely to be legitimate since upstanding organizations should not be calling.
- Verify Unknown Numbers: Use mobile applications to verify any unknown number that calls you.
- Let Unknown Calls Go to Voicemail: Alternatively, you could let unknown calls go to voicemail, then call the party back directly. If it looks like your bank is calling but you are suspicious, call the bank directly and see if it contacted you. Being careful might cost you some extra time, but that cost is better than giving away valuable personal information.
How Businesses Can Prevent Vishing Attacks
The best business tactic to prevent vishing is to practice good cybersecurity. This can start with security awareness training for new employees so they understand the danger vishing attackers can present to a business. Make sure employees know not to give access to their computer except to verified technicians.
By reporting suspected incidents and hanging up when you receive a possible vishing call, you can prevent vishing attacks from succeeding. Successful vishing attacks against businesses can lead to further security risks, so prevention is key. However, if you have already experienced a vishing attack, there are still ways to recover.
Expert Tip
Follow the tips outlined in this guide on how to implement a comprehensive cybersecurity training program for your employees. It is essential that they stay up to date on the most common adversaries affecting your industry and how they target employees to learn how to be proactive about security. This includes training on how to spot phishing attempts.
Read: How To Create a Comprehensive Employee Cybersecurity Training Program
How to Recover From a Vishing Attack
The process of recovering from a vishing attack differs depending on when you realize it’s a scam. During an attack or in the immediate aftermath are the best times to react, but recovery is still possible after harm has been done. Reporting the crime is always a good place to start.
Steps to Take While a Vishing Attack Is in Progress
If you are on a phone call and you realize it’s a vishing attack, hang up! Vishing scammers can’t gain access to your computer or personal information if you don’t give it to them. You can always report the number after hanging up and should especially do so if the target was business information.
Steps to Take for Victims of Vishing
For those who have already given their information away due to a social engineering attack such as vishing, there are still steps you can take. The first is to change all your passwords, call your financial institution and report the crime. The Federal Trade Commission wants reports about vishing. Whatever sites and services have the information you gave away need priority attention.
Some accounts use multifactor authentication, and others let you know when a new device accesses your account. Check on these safety measures to make sure they’re still functioning. You should also contact any service providers who have your compromised information, such as credit card companies and banks. Taking these steps should minimize the future harm done by vishing attacks.
Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.
