What is Vishing?
The latest social engineering scam explained and what you can do about it
Vishing or Vishing Attack is a new method of phone-based social engineering. It is when a criminal impersonates a victim to get relevant information such as personal information, bank account, financial information, credit card details, and all other sensitive data resulting in identity theft or data breach.
More companies have now considered it as a major security threat, in fact, a teenager from UK, Kane Gamble, hacked top-ranking United States officials using only his phone through social engineering or what is now commonly called as vishing.
3 different types of Vishing and where it happens:
Vishing victims through commercial channels pretending to be a consumer and tricks a customer support representative through a phone call to give away personal details like a bank account, social security, credit card, and all other financial numbers. Usually, they have a sense of urgency in their voice causing the privileged attendant to give out sensitive information.
Corporate Vishing Scams are where victims are tricked to give away company values like a password for the victim’s accounts or do transactions for the criminal’s interest like transferring money. This often happens in some employees and mostly in top management (CEO scams).
Another situation is where a voice phishing takes place when an important corporate user is being impersonated and calls a privileged user from the service desk to get the password for the target person = victim.
More about Vishing and Vishing Attack
In just a simple phone call, an attack can happen when it creates an illusion filled with emotions to avoid facts. The criminal has prepared prior to the call on what situation to create so he or she sounds like the actual victim.
Feelings are displayed to exploit by vishing hackers through a vishing scam:
Are VISHING and PHISHING the same?
Vishing and Phishing are two different attack vectors in the social-engineering arsenal.
Phishing is like old-times artillery: Cover a large area with grenades (e.g. calls/emails) and hope to hit someone who will respond positively to the call-to-action, such as by giving away account numbers and passwords.
Vishing is like modern-times elite corps: Target a specific high-importance person, make very detailed plans, and execute with no reservations. Vishing is Voice Phishing.
How does a Vishing Attack or Voice Phishing Happen?
Say a hacker wants to get access to a specific important user’s accounts like a credit card. The first thing they’ll probably do is send a phishing email. If the target person is protected with technical anti-phishing solutions, skills & awareness training, and intelligence, though, it’s very unlikely that the hacker will be successful.
The hacker will then try a vishing attack, by making a phone call to the target. If the target person is smart and equipped, it’s very unlikely that they’ll give away any sensitive information like bank account numbers, credit card, financial information or transfer any money.
The weakest point in the defense is someone who has access privileges to the target person’s information and passwords. The help desk is the place. IT service supporters are trained to give service and do it fast – it’s an ideal profile for a common vishing victim!
Vishing is a social engineering attack. The core strategy is to elicit emotions that will make the victim give you what you ask for. It is done through a phone call most of the time.
The emotions will now dictate the victim’s actions; as a result, any critical methods-based instructions are forgotten!
Mitigation against vishing attacks must involve solutions where decisions are based on facts and not on emotions. FastPass Identity Verification Manager (IVM) is a secure workflow that takes control of the verification process.
Identity Verification takes emotions out of verification
Hackers’ tricks now available include voice changers in a phone call to fake target people’s voices, as well as mobile number spoofing and SMS copying. But hackers won’t succeed even with these techniques if helpdesk workers or tech support follow a strict workflow with multiple verification tests.
To what extent is vishing used?
- From 2013 to 2018 Social Engineering attacks involved in data breaches grew from 18% to 35%
- 29% of incidents in 2019 involved stolen credentials = passwords
- It’s estimated vishing or telephone fraud leads to a global loss of about $46.3 billion
We believe that many successful vishing attacks are never disclosed, and hence not reported anywhere. If the hacker wants access to high value data like social security, card number or any other information he will copy the data and leave, and never return. The organization will later not understand how a competitor, the press, public organizations got access to the data.
Prevent Vishing Attacks through Identity Verification
Hackers’ tools now include voice changers for phone calls to fake target people’s voices, as well as telephone number spoofing and SMS copying. But hackers won’t succeed even with these techniques if helpdesk workers follow a strict workflow with multiple verification(end user verification) tests.
The FastPass Identity Verification solution controls the entire verification process. Collecting a lot of data automatically and instructs the service desk supporter what questions to ask. Based on algorithms for the different user groups, IVM will decide when the verification is complete. The hackers can’t win by using emotional tricks against the company service desk supporter on the other end!
Know more about FastPass Identity Verification Manager (IVM) here.
Related Identity Verification Insights
Protect your Passwords today with FastPass
Get in touch with us today by filling up the form and our team will get back to you as soon as possible.