A reformed cyber-criminal who popularized the term “social engineering attack” famously pointed out that “it is far easier to trick someone into handing over, say, their password than to go to the trouble of hacking them.” This approach has taken hold in the cyber-crime world, with social engineering and phishing attacks—when an attacker poses as an authority figure via email or a website to trick a victim into divulging sensitive data—costing businesses $676 million in 2017, according to the FBI. Now an even simpler attack is gaining traction.
With voice phishing, known as vishing, a fraudster tries to persuade victims to give out personal or business details, or make money transfers over the phone. Although it sounds elementary, vishing has become so successful that industry insiders and security professionals are calling on companies to take this threat extremely seriously.
How to Identify a Vishing Scam
Consider a call from your company’s bank—with the banker calling you by name and with information about your business address. They’re calling to alert you that your business account has been compromised and they have set up a secure account, you simply need to transfer the funds. This setup has lured many vishing victims.
So how can your company protect it’s resources from vishing? Simply knowing common techniques of vishing fraudsters is the first step to helping employees identify and evade an attack:
They already know you. In the most effective vishing scams, the cyber-criminals already have some information about a victim—all it takes is for them to have someone’s name, address, phone number, and bank name to convincingly con a victim into believing they are who they say they are.
A sense of urgency. Fraudsters feed on fear, knowing that if victims think money or data is vulnerable and must be quickly protected, people are more likely to act before they think it through.
Sounds official. These cyber-criminals are pros, paying attention to details like background noise—it sounds like they’re in an office or call center—rather than a criminal in a basement.
Line hang. Vishing fraudsters have been known to hold the telephone line, so when a potential victim tries to hang up and call the bank, they end up right back talking to fraudsters.
Phone number spoofing. Vishers use a phone number that appears to come from a believable location to make their call seem more genuine and convincing.
Protection Through Education
What can you do to protect your company? Security training, security training, security training. Although it seems like a broken record, the message is constantly repeated by industry experts because it’s true—cybersecurity training of all staff members is the best way to combat social engineering attacks, like vishing scams.
With regular and ongoing training, employees can become vigilant about security. All employees should confidently know to never provide personal or company banking and credit card information over the phone. Everyone should understand the merely hanging up will not thwart a cyber-criminal. It’s important to use a different phone, for example, to call back via a verified number to ensure the source is legitimate. There are very specific steps that must be taken to effectively stop attacks. Consulting a cybersecurity professional is the most reliable and effective path to creating a security awareness program and information security strategy.