Vishing (voice phishing) is a type of phone fraud which use social engineering to extract information or credentials from a victim. Attackers often use a pretext to misrepresent their authority or position in order to trick the victim into compliance. Attackers often use caller ID spoofing to make victim believe the call is coming from inside the organisation or from someone the victim knows.
voice phishing attacks can be one-off attacks attempting to harvest account sign ins, credit card data or personal information, or they can be used as part of a multi-stage attack, gaining information and building rapport with victims for use in later stages.
In the consumer sphere, we all know how bad scam phone calls are getting. In many homes the only time the land-line rings in when there is some kind of automated scam call. Americans get 2.4 billion robo-calls every month, with the situation in Europe not far behind. These, however, are untargeted “spray and pray” attacks. In the same way that we have different levels of phishing, there are simple vishing attacks and more calculated and targeted “spear-vishing” attacks.
Statistics relating to vishing attacks on organisations are not widely available as many companies are unwilling to share cases of flaws in their internal systems if they do not lead to a reportable breach. However, given its success in the consumer field and the increasing awareness of vishing and other forms of social engineering, we are seeing an increasing number of reported attacks.
Vishing works by impersonating a legitimate individual on the telephone and then using psychological tactics to persuade the victim to give information or access to the attacker. The attack works because victims often don’t know the value of the information they are giving out and think they are being helpful.
Voice phishing is a fast-paced real time interaction which allows the attacker to deliver a highly targeted and personalised attack which can adapt and modify in response to the victim’s reactions. A skilled attacker can think on their feet and adapt their approach to the one most appropriate for the victim. Some attackers have been known to use voice changing software to create a more plausible attack.
This type of social engineering attack is ideally suited to a using the principle of urgency to frighten and coerce into taking action quickly, without giving the victim time to reflect or to confirm the validity of the request. The attacker stresses the importance of the action being taken NOW ideally while the attacker is online, that way they can talk them through the entire process and ensure it is done correctly.
Open Source Intelligence or OSINT is a key component in vishing as it is used as research to build the pretext -the believable backstory – that underpins the vishing attack. When we receive a call, we make a decision as to the legitimacy of the caller very quickly. We use the caller’s tone and the words they use to determine whether this a friend or foe. Imagine you work for an insurance company; you are at your desk hammering out a word document before lunch.
The phone rings – “Hi, its Jane from New Polices, I’ve got this underwriting case sent over from QPC Brokerage, I could really do with some more info than I’ve got.. could you have a quick look …”
You don’t know Jane, but you get calls like this all the time, you work in policy admin after all, “sure you reply.. what’s the CKR number?” -“they haven’t got one yet…the names Tim Jones, the DOB is…”
Jane sounds kosher doesn’t she? But how hard is it to find this info either online or from a previous call?”
Voice phishing attacks are very flexible and will often be adapted to target the specific assets of a company. However there are common vishing pretexts to be aware of, ones which works in many situations or are less targeted. These target low hanging fruit, but if they were not successful, wouldn’t be used. Common reported vishing pretexts include:
The most widespread form of vishing attack in circulation. The caller claims to be from your bank, investigating fraud. “Authenticates” by giving you some information about your accounts which “only they could know”. They then ask for confidential information or code “for verification”. If received they use this to make unauthorised transfers from your account.
Caller claims to be from company IT department. Often starts call with large amount of computer jargon in order to demonstrate authority and to push “ignorant” victim into complying with actions. Tells victim they are going to walk them though an update or antivirus check, when in fact they instruct victim to hand over credentials or install externally hosted malware.
CEO’s and other authority figures in an organisation are popular choices for a vishing attack because of people’s willingness to bend rules and comply with authority in most organisations. Attackers will often use a time constraint to keep calls short and abrupt in order to minimise the risk of discovery.
Customer or client in difficulty:
Everyone loves helping their customers, going the extra mile is embedded in to customer service culture. Helping a customer can sometimes involve blurring the lines of company policy and giving information or access that should not be permitted. Callers often leverage emotion, using urgency, distress, time constraints and other pressures to get diligent staff to “help out”.
Sometimes that “extra mile” can often take you into territory where the caller shouldn’t be, for example getting information on internal technology and processes which can be.
Collecting money for a charity perhaps linked to a hurricane, natural disaster or pandemic. Ask you for personal details, email, and perhaps details of your friends and family. Pull on the emotional response and desire to help. During the pandemic we were hit with the “in it together” and “Clap for the NHS” messages.
Knowing that criminals and hackers use a range of different methods to scam individuals and employees means you can be on your guard to potential attacks. According to research, 75% of victims reported that the attacker already had some personal information on them when they made the call.
Be helpful but defensive
Assist the caller where you can, but remember you don’t know this person or what their motive is. Keep a level of healthy scepticism.
like all forms of social engineering vishing frequently uses fear and urgency to “bump” the listener into doing something they wouldn’t do if they thought about it more calmly. Stay calm, if you feel you are being emotionally overloaded put the caller on hold or use an excuse to remove yourself from the situation.
Call them back!
If you get a feeling that something isn’t wrong, act on it and ask to call them back. Then call them back on a publicly listed number – not the one they might give you.
Don’t give out valuable information over the phone
Don’t feel obliged to give out credentials or confidential information over the phone just because someone asks for it.
Treat urgency as a red flag
The fact that someone claims to need something urgently should be a small red flag that something could be amiss, not that you should automatically comply with the callers’ request.
Don’t be afraid to say NO
If a request is not justified, don’t be afraid to reject the request. You can do this by deferring authority, tell them you need to check this with your manager or politely decline and cite your company’s policy on information disclosure.
Don’t log in to a phishing site.
Don’t navigate to an unknown website that the caller asks you to log in to. Remember that the caller will be prepared for this, it is no good saying no to the first request if you give in on the second attempt- stand your ground!
Don’t trust caller ID
It is simple for attackers to change or spoof the number that is displayed on your handset. OFCOM advises that caller ID should not be used as a means of verifying a caller’s identification.
8 Ways to Protect your Organisation Against Vishing
1. Create a company policy on Vishing. Make sure your staff know what to do in the event of a suspected vishing call.
2. Train staff to defend against vishing and other forms of social engineering. Staff need effective and ongoing training in social engineering techniques as part of their cybersecurity and data protection training. Teams that regularly deal with attempted vishing calls should role-play their responses to improve their defences to skilled social engineers.
3. Make it easy for staff to report vishing attempts.
4. Positive Security Culture. Promote, don’t penalise staff who take security seriously. Staff need to know that you have their back if they stick to their guns when refusing to give out information to a caller.
5. Know your company’s key assets.
What do you have that is most appealing to attackers? Is it money, IP, personal data, commercial information or something else? By identifying (and protecting) your key assets your team is more likely to identify a targeted vishing attack.
6. Keep company information within the intranet. Where possible keep important company information only accessible to logged on staff. This makes OSINT and building an internal pretext (a pretext where caller pretends to be a member of staff) harder for attackers.
7. Conduct OSINT against your company and limit the information found. OSINT is crucial for social engineering attacks like vishing. It is the basis for creating convincing internal pretexts. By understanding what information is in the public domain, it is easier to distinguish between actual insiders and those who have simply done their research. A further step is to conduct a social engineering vulnerability assessment to see how information can be exploited in a social engineering attack.
8. Include a vishing attack in your attack simulation exercises. The best way to be sure your organisation knows how to deal with a vishing attack and its aftermath is to include it as an exercise inject in your CMT crisis exercises. This allows you to play through the attack in a safe environment, update your processes and documentation and respond more rapidly and effectively in the event of a real attack.
Vishing calls should be reported to your infosec team in the same way as you would report a phishing email. It is vital that this is done quickly in case this is part of a multi-stage social engineering attack. You should record:
- The phone number the call came from.
- The information that was requested by the caller.
- Who they claimed to be.
- What (if anything) was disclosed?
- What company or confidential information they used as part of their pretext.
- Any call back number they may have given you.
Assess the information lost and its impact.
- Is there regulatory disclosure?
- Does anyone else need informing?
- Was the call recorded?
- Evaluate why the attack was successful and what changes need to be implemented.
- Work with victim to find out what would have helped them be more effective at preventing this attack.