Until recently, vishing was only seen as a real threat to individuals. Now it’s become an increasingly common way for hackers to infiltrate businesses, too. But what exactly is vishing, and how can your organisation avoid it?
Vishing Explained
Most people have heard of phishing these days, but vishing is still a relatively new phrase. It’s a type of social engineering that uses phone calls and voice automated software to get people to share vital information, like bank account details and passwords.
Instead of targeting victims via email, the hackers contact people by telephone instead. Sometimes it’s a real person calling, other times it’s a bot, but the aim is always the same – to catch people off guard and manipulate them into sharing valuable information or sending money.
Vishing is not a new idea – phone scams have existed for decades. But over recent years many of us have taken our eyes off the ball when it comes to these kinds of attacks, thinking they’re a thing of the past. But while companies are spending a fortune on security software and getting wise to common online hacks, the criminals are going back to old school tactics.
Vishing Poses a Real Threat to Businesses
In 2021, California based financial services company Robin Hood Markets Inc. fell foul to a high-profile vishing scam. It happened late one afternoon during lockdown, when a representative from Robin Hood took a call on their mobile phone, seemingly from a senior person from within the company. The conversation lasted over an hour, as the caller built up a friendly rapport with the victim – who happily shared details about customer accounts.
Only realising it was a strange interaction when they got home, the rep discussed the call with a relative – who immediately told them to escalate it. By the time the hack was reported, the personal information of over 7 million customers had been shared, and it’s now widely known as the biggest scam of its kind.
While phishing is still the number one cyber security threat to businesses, vishing is now a serious contender too. The situation has become so serious that the FBI has got involved, issuing warnings about this kind of fraud to businesses throughout America. The bureau announced that the rise of remote working has had a direct impact on the number of scam calls, and that although vishing is most likely to be used to steal business contacts rather than money these days, the effects can still be devastating and not just financially. Read our blog The Hidden Cost of Cyber Crime And How to Avoid it.
Key Factors of Vishing Attacks
It’s not always easy to differentiate between a genuine call and a vishing attack, particularly when the caller has taken a long time researching their victim and building trust. But there are ways to spot them. Vishing attacks commonly involve the following elements:
Urgency
If the caller tells you the situation is urgent and puts you under pressure to share information or send money, there’s a good chance you’re being targeted by a scammer. Criminals know that people are more likely to make mistakes when they feel stressed, so they create a sense of panic and urgency to get results.
Personal Details are Required
If someone suddenly calls asking for personal details, proceed with extreme caution. It’s also important to note that many vishing scammers use sophisticated software to mimic people’s voices, so even if the caller sounds familiar there’s no guarantee it’s the real deal. If in doubt, always double check the number is correct and arrange to call people back.
Requesting Remote Access
Scammers will often ask to establish remote access to computer systems, so never share passwords or provide remote access to any callers – ever!
Claiming to Be from Banks or Government Bodies
Scammers also know that people tend to react to authority figures with a sense of respect and compliance, so they’ll often pretend to represent HMRC, banks or government agencies. No organisation of this kind will ever ask you to share confidential data over the phone, so hang up the call and contact the organisation they’re claiming to be calling from straight away.
How to Protect Your Organisation from Vishing Scams
Training and Awareness
Like many other threats, avoiding vishing scams is all about having the right training and support in place. All employees should already be made aware of your organisation’s data protection policy and know how to spot common cyber risks, and vishing awareness should become part of your training and awareness sessions. Staff should always be vigilant about the information they’re sharing and know how to recognise common scams, so create an environment where security becomes part of your daily culture.
Adopt a System of “Least Privilege”
The more people who have access to every bit of information on your system, the bigger the risk surface and threat to your organisation. So, it’s important to ensure that all employees and third parties only have access to the data they specifically need for their own individual roles. You’ll also need to undertake regular checks and audits to ensure that no ex-employees don't have access to your systems.
Adopt Multi-Factor Authentication
Multi-Factor Authentication (MFA) is a really important tool in keeping your business-critical data safe. Instead of relying on just one method for logging into accounts, such as a password, MFA provides additional layers of protection by requesting different information. These layers include Possession (something you have, like a mobile device or security key), Knowledge (something you know, like a password or piece of information) and Being (something you are, like a retina scan or fingerprint).
Use Technical Controls
Technical controls are also a great way to protect your staff and business from vishing. They commonly include things like endpoint detection and response solutions, web filters and password managers.
How Actisoft Can Help Your Organisation
As specialists in cyber security and risk management, we specialise in helping organisations of all sizes keep their data safe. We will be happy to talk to you about how hackers use social engineering to obtain information and make sure your staff are up to date with all the latest treats.
We also offer a comprehensive range of security software and monitoring to ensure you’re always one step ahead of the cyber criminals. Contact us today to find out more.
Find out now how many of your users take the bait and reply to a spoofed email
Did you know that 60% of spoofed email attacks do not include a malicious link or attachment? When crafted well, most users are likely to fall victim to a highly targeted social engineering attack.
Try our Phishing Reply Test (PRT) it is a complimentary IT security tool that makes it easy for you to check to see if key users in your organisation will reply to a highly targeted impersonation attack.
PRT will give you quick insights into how many users will take the bait so you can take action to train your users and better protect your organisation from these fraudulent attacks!
Here's how it works:
- Immediately start your test with your choice of three phishing reply scenarios
- Spoof a Sender's name and email address your users know and trust
- Phishes for user replies and returns the results to you within minutes
- Get a PDF emailed to you within 24 hours with the percentage of users that replied
Identify how many users take the bait and reply before the bad guys do!