WHAT IS VISHING?
Vishing is a type of cybercrime that involves the use of a phone to obtain personal and private information from victims. Cybercriminals utilize clever social engineering strategies to persuade victims to act, handing away sensitive information and access to bank accounts. This is known as voice phishing.
Vishing, like phishing and smishing, depends on convincing victims that answering the caller is the proper thing to do. The caller will frequently impersonate the government, the tax department, the police, or the victim’s bank.
Cybercriminals use threats and persuasive language to make victims feel as though they have no choice but to deliver the information requested. Some cyber criminals employ threatening rhetoric, while others claim to be assisting the victim in avoiding criminal penalties. Another frequent strategy is to make threatening voicemails warning the listener that if they don’t call back right away, they risk being jailed, having their bank accounts frozen, or worse.
What Causes Vishing?
More than merely dialing random phone numbers are required for a successful vishing attack; hackers utilize a systematic strategy to steal from victims:
1. The cybercriminal begins by researching the victims. Sending phishing emails in the hopes that someone would respond and reveal their phone number is one example. Alternatively, the offender may use specialized software to dial several numbers with the same area code as the victims.
2. If the target has previously been duped by a phishing email, the caller is unlikely to raise any suspicions. The victim is anticipating a phone call, depending on how sophisticated the phishing/vishing technique is. People are more inclined to take calls from numbers with a local area code, which hackers are aware of.
3. Now that the cybercriminal has the victim’s attention, they must appeal to the victim’s natural human inclinations of trust, fear, greed, and a desire to assist. The criminal may utilize all or just one of these social engineering strategies to persuade the victim that they are doing the right thing, depending on the vishing plan. The cybercriminal may request bank account information, credit card information, and a postal address, as well as action from the victim, such as money transfers, emailing confidential work-related documents or disclosing information about their company.
4. Cybercrime does not end here. The cybercriminal can now go on to perform other offenses now that they have this information. For instance, a cybercriminal may deplete the victim’s bank account, conduct identity theft, and use the victim’s credit card information to make illicit purchases, then email the victim’s coworkers in the hopes of duping someone into divulging confidential work information.
Four Vishing Techniques You Should Be Aware Of
1. Dialing in a war
The cybercriminal use software to dial certain area numbers with a message involving a local bank, company, police agency, or other local entity. When the phone is answered, an automated message asks for the person’s entire name, credit card number, bank account number, postal address, and even social security number. This information may be required to prove the victim’s account has not been compromised or to validate genuine account data, according to the recorded message.
2. Voice over IP (VoIP)
Cybercriminals may easily generate bogus phone numbers and hide behind them thanks to VoIP. These numbers are difficult to trace and are frequently used to generate phone numbers that appear to be local or have a 1-800 prefix. Some hackers would construct VoIP numbers that seem like they are from a government agency, a local hospital, or the police department.
3. Phony Caller ID
Caller ID spoofing is similar to VoIP vishing in that the cybercriminal hides behind a false phone number/caller ID. They may use an unknown caller ID or claim to be a genuine caller by utilizing a caller ID such as Government, Tax Department, Police, and so on.
4. Dumpster diving
Digging through the trash behind banks, office buildings, and other random institutions is a basic and yet common means of acquiring genuine phone numbers. Criminals frequently gather enough information to launch a targeted spear vishing assault on the victim.
Vishing is exceedingly prevalent, and these four cases demonstrate how easily fraudsters may persuade victims to act.
1. Representative of the Government
The caller appears to be from the government and is just phoning to check personal identity information. If the victim does not supply the information necessary to validate their account and identity, the caller may threaten to delay tax returns or social security payments.
2. Fraudulent Tech Support
The caller claims to be from Microsoft, Amazon, or the local cellular provider. They’ve spotted strange activity on the victim’s account and merely want to double-check that they have the correct account information. The cybercriminal may request an email address to which they may send a software update, instructing the victim to apply it to safeguard their computer from cybercriminals; however, this installs malware on the victim’s machine.
3. Impersonation of a Bank
The cybercriminal appears to be phoning for the victim’s bank by using a faked phone number and caller ID. The caller informs the victim that there has been odd activity on their account and requests that they confirm their bank account information, including their postal address, as evidence of identification. The cybercriminal then uses this information to perform identity theft.
4. Telemarketing Assault
Everyone loves to win a free reward, and cybercriminals use this to lure unwary victims into revealing sensitive information. The caller states that this information is needed to handle the free reward and ensure that the victim receives it on schedule.
How to Identify and Prevent Vishing
Remind your staff how to spot and prevent vishing as part of your security awareness training and communication campaign:
1. Never give out or confirm personal information over the phone. Keep in mind that your bank, hospital, police department, or any other government agency will never phone you and ask for your personal information.
2. Pay close attention to the caller. Take note of the words used and pause before reacting. Never give out personal details. You should not confirm your address. Threats and urgent requests should be avoided.
3. Be skeptical of any phone numbers provided by the caller to prove their identification. Look up the phone number on your own and call it from a separate phone. Phone numbers may be routed and bogus numbers can be generated by cybercriminals.
4. Do not pick up the phone when it comes from an unknown number. Allow the call to go to voicemail and then attentively listen to the message.
5. Do not provide answers to queries concerning your personal information, workplace, or home address.
6. Make inquiries. If the caller is offering you a free reward or attempting to sell you anything, request verification of who they are and where they work. If the caller refuses to supply this information, disconnect the line. Before sharing your information, make sure you authenticate any information provided by the caller.
7. Add your phone number to the National Do Not Call Registry. Most genuine businesses adhere to this list, thus, if you receive a call from a telemarketing organization, the call is a phishing attempt.
8. Recall what you learned about social engineering throughout your security awareness course. Be on the alert for language that exploits basic human emotions like fear, greed, trust, and a desire to assist others.
9. Keep in mind that your boss or a colleague in human resources would never call you at home and ask you to transfer payments, offer private information, or email papers from your account.
10. Do not reply to emails or social media posts requesting your phone number. This is the initial stage of a targeted phishing/vishing assault. Inform the IT/support people about these emails/messages.
UK Cyber Security Ltd is here to help
Please check out our Cyber Essentials Checklist
Please check out our Free Cyber Insurance
If you would like to know more, do get in touch as we are happy to answer any questions. Looking to improve your cybersecurity but not sure where to start? Begin by getting certified in Cyber Essentials, the UK government’s scheme that covers all the technical controls that will provide the protection that you need to help guard against criminal attacks. Or just get in touch by clicking contact us
- Cyber Essentials
- Cyber Health Check
- Bespoke Cyber Security Awareness Training for Individuals and Businesses
- Find & Fix Security Flaws with UK Cyber Security Vulnerability Analysis
- Uncover your IT Vulnerabilities with Cyber Security Penetration Testing
- Auditing ISO 27001
- Disaster Recovery Planning
- Data Destruction
- Data Loss Prevention