Examples of Effective Vishing Attacks

Vishing (not to be confused with phishing) is a form of social engineering that attempts to manipulate an individual to give an attacker personal information like usernames and passwords, credit card information, and social security numbers via the telephone. The attacker will call and impersonate somebody that you might trust, such as a family member, co-worker, or government official. In some cases, they will go as far as spoofing a telephone number or altering their voice. The attacker will try to bait the victim with a pretext to get them to reveal information that the attacker wants. A pretext is a scripted scenario (often involving prior research on the target) that an attacker can use to build trust with the victim, answer their follow up questions with confidence, and get them to divulge sensitive information.

There are thousands if not millions of different pretexts that attackers use. Just like phishing, many pretexts are based off fear and convincing the victim that they must act quickly in a time sensitive situation. Below is an example:

“Hello, this is the fraud department with Wells Fargo. We are calling regarding a suspicious $800 charge on your account. Before we continue, are you able to confirm that you are the account owner?”

This tactic attempts to create a sense of urgency and fear so that the victim will frantically give up information to the attacker to solve the situation. This is an actual example of an attack scenario used against Wells Fargo customers. The attacker will ask the email address on the account, and then ask the victim to confirm their identity by reading off a 6-digit number sent to their phone. What is actually happening is that the codes being sent to the phone are codes to reset the account password, further alter the account, and transfer money. The attacker is on their computer using the authentication codes to take over the victim’s account. The victim is often using the cell phone that the codes are coming in to while talking with the attacker and might not look closely at the text messages that accompany the codes. Once in the account, the attacker can read off some recent transactions to build trust with the victim and get them to reveal even more information.

Here is another great example of a common vishing pretext which we often use on our vishing engagements:

“Hello, my name is __________ and I’m with the IT help desk at ____________. We’re calling all departments to make sure they are ready for the expiration of Windows 7 support. We need to sign up all users for Windows updates. I’m going to send you a link to the page to sign up for the updates.”

This call would go out to an employee of an organization during business hours. The first blank would be the name of one of the organization’s IT managers or support staff (name located via research on LinkedIn) and the second blank would be the name of the organization where the employee works. The link they are going to is a fake page designed to look like it is coming from the employee’s organization and asking for their login credentials. If a non-technical employee receives this call and the attacker provides them with a great deal of technical talk, they might just comply because they don’t quite understand the situation from the technical aspect. We often have success with this vishing pretext. The best thing you can do if faced with this scenario is to tell the caller you will call them back, hang up, and dial the IT help desk number that your organization has on file to ensure you are actually speaking with the correct individuals.

Vishing is just one form of social engineering. Attackers are constantly crafting up new methods to elicit private information from individuals in all industries. For the past decade, Compass IT Compliance has been carrying out simulated social engineering assessments including onsite facility access attempts, phishing, vishing, and USB drops. We also offer customizable online and in-person security awareness training courses. Want to learn more about vishing and social engineering? Contact us today!