What is a vishing attack?
Vishing is the practice of tricking people into sharing sensitive information through telephone calls. Vishing victims are led to believe they are sharing sensitive information with a trusted entity, such as tax authority, their employer, an airline they use, or someone they know in person. Vishing is also known as “voice-phishing”.
Phishing is the overall term for the practice of attempting to steal sensitive information by pretending to be a reputable party. There are different forms of phishing, including email phishing (which is sometimes referred to as ‘phishing’ only), voice phishing or vishing, whaling, and spear phishing.
While vishing attacks are harder to detect or monitor, it is important to understand that attackers often try to gain access to information through different mediums at the same time. Therefore, a significant rise in email-phishing attacks can be taken as a sign that voice-phishing attempts may be taking place, too. Organizations should educate their employees about such incidents, because alert employees are the best shield against these attacks.
How are vishing and social engineering related?
Vishing is a form of social engineering. Attackers persuade their victim to do something they would not otherwise do, such as sharing credit card details in an unsolicited phone call. The attacker plays with basic human emotions, such as greed, fear, or the desire to help. Attackers could pretend to be a friend in an emergency and prompt the victim to transfer money. Or they may impersonate a member of an employer’s IT department in order to get username and password for access to the company network.
How do vishing attacks work?
Vishing attacks can take a variety of forms, but they often involve some of the following tactics:
- An element of surprise: The caller may claim to be part of an organization that would not usually call, like tax authorities, an enterprise, or the national lottery. They could also claim to be someone familiar to the victim, who is calling in unusual circumstances.
- A sense of urgency and fear: The caller may imply or threaten negative consequences if a certain action is not taken quickly. These consequences could include a penalty — such as fear of arrest if a tax debt is not settled immediately — or missing out on an opportunity — such as not gaining access to a lottery win unless personal information is shared immediately.
- An ask for information: The caller will ask for personal or sensitive information, such as a full name, address, birth date, passport number, or credit card details. The attacker might possess some of the information already and seek to complete or verify it.
- An element of timeliness: Vishing attacks are often connected to current events. For example, at the beginning of the Covid-19 pandemic, attackers called employees who had just started working from home and claimed to be members of their IT department. They asked for usernames and passwords in order to be able to grant access to corporate applications and data. These attacks happened internationally, and involved a variety of organizations. Government agencies and NGOs were targeted, along with manufacturing companies, software developers, and airlines.
How not to become a victim of vishing
Individuals can follow a number of practices to protect themselves from phishing. These include:
- Being wary of anyone asking for money or sensitive information over the phone: (be it personal information or information about an organization the recipient is a part of). Most authorities would not ask for such information over the phone.
- Being aware of the technical possibilities of establishing a false identity in phone calls: It is not hard to fake telephone numbers or use a specific regional number using VoIP technology. For that reason, one should not trust incoming calls based on caller IDs or regional numbers.
- Being skeptical of urgency: It is wise not to trust anyone who seems to create a sense of urgency or encourages immediate action. Instead, stay calm and consider the possible consequences.
- Not implicitly trusting a caller’s identity: Verifying the caller’s identity by searching for a publicly available phone number of the company and calling them is important. If the caller provides a call-back number, it should not be used as it could be part of the scam. If the caller claims to be a friend or family member, reach out to this person over other means of communication or contact mutual connections to verify the claim.
How to protect an organization from vishing attacks
There are several measures companies can take on cultural and technological levels to protect themselves from vishing attacks.
Education: It is important to educate employees about current vishing trends as well as their general characteristics. This way, employees will be able to spot attacks based on their knowledge of a specific scenario, or to exercise caution if they feel characteristics of vishing attacks are present. It is also helpful if leaders remind their employees about the instances in which they will or will not reach out to them. For instance, a CEO would not call employees to ask them for private information or to make a bank transfer. As obvious as this may seem, it is still good for the CEO to communicate this on a regular basis.
Culture: Organizations should work to make their employees feel comfortable reporting that they have fallen victim to a vishing attack. Ideally they have a process in place for such cases, make sure staff is aware of it, and create an atmosphere of trust in which employees will not fear repercussions for reporting incidents promptly.
Technology: Vishing attacks that take place over phone calls are harder to detect and prevent than phishing attacks in emails. However, certain steps can be taken for damage control and monitoring.
- Multi-factor authentication: If two or more verification factors are needed to access internal systems and information, it will be difficult for attackers to gain access simply by stealing login credentials over the phone.
- Principle of least privilege: If an employee falls victim to a vishing attack and their device gets compromised, ensure that the damage will be as minimal as possible. Make sure employees only have access to the systems and information they need for their role is key. [Zero Trust network access technology](https://www.cloudflare.com/learning/access-management/what-is-ztna/), such as Cloudflare’s Zero Trust services, can help manage this access.
- Access logs: It is important to have systems in place that detect and monitor unusual activity. Zero Trust technology helps organizations do that as well.
- Using email security as a sensor: Attackers usually use multiple forms of social engineering at the same time. By using Cloudflare's email security technology, email-phishing attempts will be stopped from coming through and the organization will be alerted to a rise in attempts. A rise of email-phishing often implies a rise in voice-phishing.