- To protect your organization, you need to know the difference between phishing, smishing and vishing.
- Vishing prevention starts with understanding the telltale signs of voice-based attacks and common attack methods.
- There are smart ways to prevent vishing attacks, including restricting your VPN connections, examining access logs and avoiding unknown callers.
In a previous blog post, we discussed a specialized phishing variation called smishing, which means SMS-based phishing attacks. There is a slightly different variation that involves voice-based phishing, or vishing. While it shares many commonalities with its similarly-named criminal cousins, there are some major differences. Let’s take a deeper dive into how it works.
The US CERT defines vishing this way: “Vishing is the social engineering approach that leverages voice communication. This technique can be combined with other forms of social engineering that entice a victim to call a certain number and divulge sensitive information. Advanced vishing attacks can take place completely over voice communications by exploiting Voice over Internet Protocol (VoIP) solutions and other media broadcasting services.”
In other words, think of vishing as a more modern and sophisticated version of a crank call. Only instead of being placed by bored teenagers, it is a very targeted and dangerous call that can get you to do the caller’s bidding.
One of the key elements of a vishing attack is spoofing the originating number. This means that when you receive a call, the caller ID of the true originating number is replaced with something that the caller chooses, such as the number of your bank or a legitimate business. VoIP easily allows caller identity numbers to be spoofed and there are dozens of call spoofing services available — which are illegal in the US, by the way.
Earlier this year, the FBI issued warnings about the practice. Criminals use typosquatted domains that appear to be coming from your legitimate suppliers, with names like [support-domain].com or [employee-domain].com. The criminals spend some time developing intelligence dossiers on the targeted individuals, based on what they learn from your social media posts and other publicly available data. In some cases, the targets were tricked into giving up their multi-factor authentication tokens to compromise their accounts.
Things Are Getting Complicated
Just like smishers, vishers are getting more clever at constructing their lures and scams. Spoofing isn’t the only tool these guys abuse. Another is the underpinning of any good social engineering effort: collecting as much data about you as possible, to make their request more personal and more believable.
“The more an attacker knows about you, the more they can tailor their scams – or target them,” says this post in Naked Security. The challenge is that the caller just has a few seconds to establish their bona fides or to speak about 60 words before you decide whether or not they are legitimate, according to that post. In the UK there is a new wave of calls that are more believable because they are automated and use voice synthesis software to “speak” with diction and an accent that is nearly, but not quite, as good as Siri.
Seven Ways to Stop Vishing Attacks
Brian Krebs has details and suggestions gleaned from watching vishers at work.
- Restrict your VPN connections. Your IT department should check for installed certificates and ensure that only authorized users are accessing corporate systems. Your access could also be restricted based on time-of-day too to prevent overseas attempts to compromise corporate systems.
- Look at your access logs. Just like with smishing, IT staff should examine access logs for unauthorized or unusual user activity.
- Improve your multi-factor authentication mechanisms to verify authentic employees.
- Don’t answer your phone from unknown callers. If you do pick up the call and realize that you are dealing with a scammer, hang up quickly and then block the number.
- Don’t enter contests or other seemingly-attractive lures. At best, you are sharing your data with marketers. At worst, you might be working with a criminal and end up losing money.
- Don’t trust anyone, including that your corporate help desk is actually calling you. As with smishing lures, hang up and call them back at a phone number that you know is genuine. Don’t provide any personal information at any time to any callers. Better yet, limit your personal information that you place on your own social media posts.
- Actively scan your corporate web apps, particularly for unauthorized or unusual access and activities. Monitor and audit authorized user access logs periodically.
Protecting Your Organization at A to Z
Here at Network Solutions, we’re committed to helping you keep your organization safe online. Preventing vishing attacks is an important part of any security plan, but you also need to make sure you have the support you need and that you can keep your team members protected on any device.
That’s why Cyber Security Solution is such a great choice. For one low price, you’ll get access to security experts on call 24/7, plus mobile device security coverage. Combined with a smart approach to phishing, smishing and vishing threats, it’s a great foundation for a robust cybersecurity strategy.