Vishing – A Closer Look

Vishing, a shortened name for voice phishing, is the act of using a telephone to trick an individual into surrendering useful information to a fraudulent caller. Vishing is a form of social engineering, and as in most social engineering attempts, the attacker will create a false identity to carry out the attack. By doing this, they aim to gain the trust of the target and ultimately gain information intended to be private, or information to help them understand the environment more. Questions the person conducting the vishing attack ask may seem unimportant, but to a skilled social engineer these answers could show them vulnerabilities. The questions could be targeted towards private personal information like pins, birth dates, addresses, or names. The information could also be more general information about the target, like software, programs, or service providers used.

Vishing and phishing are both types of social engineering attacks reaching out to you and trying to gain information. While vishing involves the attacker calling you, phishing involves the attacker emailing you. Phishing emails and vishing calls often look very legitimate, and both have caused serious loss among consumers and companies alike.

The first step in a vishing attack involves the social engineer spoofing the number of who they’re impersonating. Doing this will make it look like the call is coming from the legitimate number, and if the target’s phone has caller ID, it will even show that legitimate company’s name. The social engineer will have specific information they’re trying to get from the target when they call. When the target picks up they will have a strategy or script to get the information from them. If the social engineer is trying to get information about the security of the building, they may call pretending to be the security company, and ask for the model number and type of equipment they have onsite. While small pieces of info like this may seem like they aren’t enough to cause damage, a social engineer is looking to gather as many details about how the organization operates in order to find vulnerabilities and attack them.

Vishing attacks find success by manipulating the target’s desire to help the person on the other end of the line. They’re able to create a complete false identity, from spoofed numbers to fake background noise and voice changers. Through this, they build enough trust that the target will let their guard down. With the proper tools, skilled and knowledgeable vishers can appear to be anyone they say they are.

To help prevent these scams, there are certain clues to look for. Before you even pick up the phone, look at the number. If it’s not a number in your contacts or the number you were expecting a call from, that’s an easy indicator. However, even if it is a number you or your caller ID recognize, it still could be a scam. When answering the phone, don’t take the caller’s word for who they are. Look for questions that may be unnecessary or unusual. If something seems off or they ask you for sensitive information, don’t be afraid to say you can’t give it to them. If they say this is urgent, the best thing to do is say you’ll call them back to verify their identity. They may be able to spoof their number when calling you, but when you call the real number back, it will go to the legitimate location.

The best way to mitigate your risk of a successful vishing attack is by training your workforce to recognize this threat. Compass IT Compliance has been conducting Social Engineering & Vishing Assessments for nearly a decade. Our team of trained social engineering specialists will identify key vulnerabilities in your most valuable resource: People.