In a previous blog post, we discussed a specialized phishing variation called smishing, which means SMS-based phishing attacks. There is a slightly different variation that involves voice-based phishing, or vishing. While it shares many commonalities with its similarly-named criminal cousins, there are some major differences. Let’s take a deeper dive into how it works.
The US CERT defines vishing this way: “Vishing is the social engineering approach that leverages voice communication. This technique can be combined with other forms of social engineering that entice a victim to call a certain number and divulge sensitive information. Advanced vishing attacks can take place completely over voice communications by exploiting Voice over Internet Protocol (VoIP) solutions and other media broadcasting services.”
In other words, think of vishing as a more modern and sophisticated version of a crank call. Only instead of being placed by bored teenagers, it is a very targeted and dangerous call that can get you to do the caller’s bidding.
One of the key elements of a vishing attack is spoofing the originating number. This means that when you receive a call, the caller ID of the true originating number is replaced with something that the caller chooses, such as the number of your bank or a legitimate business. VoIP easily allows caller identity numbers to be spoofed and there are dozens of call spoofing services available — which are illegal in the US, by the way.
Earlier this year, the FBI issued warnings about the practice. Criminals use typosquatted domains that appear to be coming from your legitimate suppliers, with names like [support-domain].com or [employee-domain].com. The criminals spend some time developing intelligence dossiers on the targeted individuals, based on what they learn from your social media posts and other publicly available data. In some cases, the targets were tricked into giving up their multi-factor authentication tokens to compromise their accounts.
Just like smishers, vishers are getting more clever at constructing their lures and scams. Spoofing isn’t the only tool these guys abuse. Another is the underpinning of any good social engineering effort: collecting as much data about you as possible, to make their request more personal and more believable.
“The more an attacker knows about you, the more they can tailor their scams – or target them,” says this post in Naked Security. The challenge is that the caller just has a few seconds to establish their bona fides or to speak about 60 words before you decide whether or not they are legitimate, according to that post. In the UK there is a new wave of calls that are more believable because they are automated and use voice synthesis software to “speak” with diction and an accent that is nearly, but not quite, as good as Siri.
Brian Krebs has details and suggestions gleaned from watching vishers at work.
Protecting Your Organization at A to Z
Here at Network Solutions, we’re committed to helping you keep your organization safe online. Preventing vishing attacks is an important part of any security plan, but you also need to make sure you have the support you need and that you can keep your team members protected on any device.
That’s why Cyber Security Solution is such a great choice. For one low price, you’ll get access to security experts on call 24/7, plus mobile device security coverage. Combined with a smart approach to phishing, smishing and vishing threats, it’s a great foundation for a robust cybersecurity strategy.