WHAT IS VISHING?

The latest social engineering scam explained and what you can do about it

A teenager from UK, Kane Gamble, hacked top-ranking United States officials using only his phone through social engineering or what is now commonly called as vishing.

More companies have now considered vishing as a major security threat but what really is Vishing?

Phishing-graphic-image

What is Vishing?

Vishing or Vishing Attack is a new method of phone-based social engineering. It is when a criminal impersonates a victim to get relevant information such as personal information, bank account, financial information, credit card details, and all other sensitive data resulting to identity theft or data breach. As part of security awareness, we discuss the different types of Vishing. See below.

3 different types of Vishing and where it happens:

  1. Vishing victims through commercial channels pretending to be a consumer and tricks a customer support representative to give away personal details like a bank account, social security, financial numbers. Usually, they call and have a sense of urgency in their voice causing the privileged attendant to give out sensitive information.
  2. Corporate Vishing Scams is where victims are tricked to give away company values like a password for the victim’s accounts or do transactions for the criminal’s interest like transferring money. This often happens in some employees and mostly in top management (CEO scams).
  3. Another situation is where a voice phishing takes place when an important corporate user is being impersonated and calls a privileged user from the service desk to get the password for the target person = victim.

See the steps on how to prevent Vishing

More about Vishing and Vishing Attack

In just a simple phone call, an attack can happen when it creates an illusion filled with emotions to avoid facts.

The criminal has prepared prior to the call on what situation to create so he or she sounds like the actual victim. Feelings are displayed to exploit by vishing hackers through a vishing scam:

Empathy

Pride

Fear

Greed

Is VISHING and PHISHING the same?

Vishing and Phishing are two different attack vectors in the social-engineering arsenal.

Phishing is like old-times artillery: Cover a large area with grenades (e.g. calls/emails) and hope to hit someone who will respond positively to the call-to-action, such as by giving away account numbers and passwords.

Vishing is like modern-times elite corps: Target a specific high-importance person, make very detailed plans, and execute with no reservations. Vishing is Voice Phishing.

 

How does a Vishing Attack or Voice Phishing Happen?

Vishing and Phishing are two different attack vectors in the social-engineering arsenal.

IVM-Vishing-side-image-1

Say a hacker wants to get access to a specific important user’s accounts like a credit card. The first thing they’ll probably do is send a phishing email. If the target person is protected with technical anti-phishing solutions, skills & awareness training, and intelligence, though, it’s very unlikely that the hacker will be successful.

The hacker will then try a vishing attack, by making a phone call to the target. If the target person is smart and equipped, it’s very unlikely that they’ll give away any sensitive information like account numbers, financial information or transfer any money.

The weakest point in the defense is someone who has access privileges to the target person’s information and passwords. The help desk is the place. IT service supporters are trained to give service and do it fast – it’s an ideal profile for a common vishing victim!

Vishing is a social-engineering attack. The core strategy is to elicit emotions that will make the victim give you what you ask for.

The emotions will now dictate the victim’s actions; as a result, any critical methods-based instructions are forgotten!

Mitigation against vishing attacks must involve solutions where decisions are based on facts and not on emotions. FastPass Identity Verification Manager (IVM) is a secure workflow that takes control of the verification process.

Vishing-Table-1

Identity Verification takes emotions out of verification

Hackers’ tricks now available include voice changers in a phone call to fake target people’s voices, as well as mobile number spoofing and SMS copying. But hackers won’t succeed even with these techniques if helpdesk workers follow a strict workflow with multiple verification tests.

To what extent vishing is used?

We believe that many successful vishing attacks are never disclosed, and hence not reported anywhere. If the hacker wants access to high value data like social security, card number or any other information he will copy the data and leave, and never return. The organization will later not understand how a competitor, the press, public organizations got access to the data.

Identity-Verification-Manager-Logo-for-Web

Prevent Vishing Attacks through Identity Verification

Hackers’ tools now include voice changers for phone calls to fake target people’s voices, as well as telephone number spoofing and SMS copying. But hackers won’t succeed even with these techniques if helpdesk workers follow a strict workflow with multiple verification tests.

The FastPass Identity Verification solution controls the entire verification process. Collecting a lot of data automatically and instructs the service desk supporter what questions to ask. Based on algorithms for the different user groups, IVM will decide when the verification is complete. The hackers can’t win by using emotional tricks against the company service desk supporter on the other end!

Scroll to Top