Vishing, or voice-phishing, is a type of phishing attack that takes place via phone calls. Learn more about what vishing attacks are, how they can be prevented and how they fit into the bigger picture of social engineering.
After reading this article you will be able to:
Copy article link
Vishing is the practice of tricking people into sharing sensitive information through telephone calls. Vishing victims are led to believe they are sharing sensitive information with a trusted entity, such as tax authority, their employer, an airline they use, or someone they know in person. Vishing is also known as “voice-phishing”.
Phishing is the overall term for the practice of attempting to steal sensitive information by pretending to be a reputable party. There are different forms of phishing, including email phishing (which is sometimes referred to as ‘phishing’ only), voice phishing or vishing, whaling, and spear phishing.
While vishing attacks are harder to detect or monitor, it is important to understand that attackers often try to gain access to information through different mediums at the same time. Therefore, a significant rise in email-phishing attacks can be taken as a sign that voice-phishing attempts may be taking place, too. Organizations should educate their employees about such incidents, because alert employees are the best shield against these attacks.
Vishing is a form of social engineering. Attackers persuade their victim to do something they would not otherwise do, such as sharing credit card details in an unsolicited phone call. The attacker plays with basic human emotions, such as greed, fear, or the desire to help. Attackers could pretend to be a friend in an emergency and prompt the victim to transfer money. Or they may impersonate a member of an employer’s IT department in order to get username and password for access to the company network.
Vishing attacks can take a variety of forms, but they often involve some of the following tactics:
Individuals can follow a number of practices to protect themselves from phishing. These include:
There are several measures companies can take on cultural and technological levels to protect themselves from vishing attacks.
Education: It is important to educate employees about current vishing trends as well as their general characteristics. This way, employees will be able to spot attacks based on their knowledge of a specific scenario, or to exercise caution if they feel characteristics of vishing attacks are present. It is also helpful if leaders remind their employees about the instances in which they will or will not reach out to them. For instance, a CEO would not call employees to ask them for private information or to make a bank transfer. As obvious as this may seem, it is still good for the CEO to communicate this on a regular basis.
Culture: Organizations should work to make their employees feel comfortable reporting that they have fallen victim to a vishing attack. Ideally they have a process in place for such cases, make sure staff is aware of it, and create an atmosphere of trust in which employees will not fear repercussions for reporting incidents promptly.
Technology: Vishing attacks that take place over phone calls are harder to detect and prevent than phishing attacks in emails. However, certain steps can be taken for damage control and monitoring.
Email security basics
Phishing and spam
Learning Center Navigation