WHAT IS VISHING?
The latest social engineering scam
explained and what you can do about it
Did you hear about the British teenager, Kane Gamble, who breached CIA director John Brennan’s account using vishing techniques?
Perhaps it’s time to consider whether vishing is a security threat to your organization.
What is Vishing?
Vishing is phone based social engineering. It is when a criminal impersonates another person to get relevant information resulting to data breach.
3 different types of Vishing:
- Consumer tricked to give away personal values like credit card information or passwords
- Corporate user tricked to give away company values like password for the victim’s accounts or do transaction in the criminal’s interest like transferring money (CEO scams)
- The victim is an important corporate user, but the criminal calls a privileged user like a service desk to get the password for the target person = victim.
See the steps on how to prevent vishing
Some Vishing techniques:
Creating emotions to avoid facts
The criminal has prepared prior the call on what emotions to create.
Popular feelings to exploit by vishing hackers:
Is VISHING and PHISHING the same?
Vishing and Phishing are two different attack vectors in the social-engineering arsenal.
Phishing is like old-times artillery: Cover a large area with grenades (e.g. calls/emails) and hope to hit someone who will respond positively to the call-to-action, such as by giving away account numbers and passwords.
Vishing is like modern-times elite corps: Target a specific high-importance person, make very detailed plans, and execute with resolve!
How does vishing work?
Say a hacker wants to get access to a specific important user’s accounts. The first thing they’ll probably do is send phishing mails. If the target person is protected with technical anti-phishing solutions, awareness training and intelligence, though, it’s very unlikely that the hacker will be successful.
The hacker might then try a vishing attack, by making a phone call to the target. If the target person is intelligent, however, it’s very unlikely that they’ll give away any passwords/account numbers or transfer any money.
The weakest point in the defence is someone who has access privileges to the target person’s information and passwords. The service desk / helpdesk is the place. IT service supporters are trained to give service and do it fast – it’s an ideal profile for a social engineering victim!
Vishing is a social-engineering attack. The core strategy is to elicit emotions that will make the victim give you what you ask for.
The emotions will determine the victim’s actions; any critical methods-based instructions are forgotten!
Mitigation against vishing must involve solutions where decisions are based on facts and not on emotions. FastPass Identity Verification Client (IVC) is a secure workflow that takes control of the verification process.
IVC takes emotions out of verification!
Hackers’ tricks now available include voice changers to fake target people’s voices, as well as telephone number spoofing and SMS copying. But hackers won’t succeed even with these techniques if helpdesk workers follow a strict workflow with multiple verification tests.
To what extent vishing is used?
We believe that many successful vishing attacks are never disclosed, and hence not reported anywhere. If the hacker wants access to high value data, he will copy the data and leave, and never return. The organization will later not understand how a competitor, the press, public organizations etc got access to the data!
IVC takes emotions out of verification
Hackers’ tools now include voice changers to fake target people’s voices, as well as telephone number spoofing and SMS copying. But hackers won’t succeed even with these techniques if helpdesk workers follow a strict workflow with multiple verification tests.
The FastPass Identity Verification solution controls the entire verification process. Collecting a lot of data automatically and instructs the service desk supporter what questions to ask. Based on algorithms for the different user groups, IVC will decide when the verification is complete. The hackers can’t win by using emotional tricks against the service desk supporter in the other end!