Vishing is Out to Get You – Beware of ‘Vishcraft’
The prevalence of phishing attacks is common knowledge. Some of us have become victims of phishing attacks. Others have managed to evade phishing attacks through luck, while others used their security awareness to avoid attacks.
The problem with phishing is that they are evolving. There a number of variations being used by cybercriminals, and over time these attacks increasingly sophisticated. A phish is difficult to spot.
Let’s take a look at one such variant: vishing. Vishing is a type of phishing attack where criminals target potential victims through their phones.
What is vishing?
Vishing is a portmanteau made up of ‘voice’ and ‘phishing.’ It is a type of scam targeting you through your phone. The person at the other end of the line convinces you to share sensitive personal and financial information.
When the intended victim receives a vishing phone call, scammers will use all the social engineering guile at their disposal to convince you to share financial information, such as your bank account number, login IDs, passwords, and anything else that can compromise your privileged accounts. You might even receive a call allegedly from a member of your own organization asking you to share sensitive business login information. Scammers are very adept at persuading victims to share this information. They might claim to represent a bank executive, a higher up in the IT department at your place of work, or someone else. The purpose is the same: to phish for information.
the goal of these calls is to: make the voice message seem as if it’s from a trusted source. The objectives are to steal your identity, overcoming an organization’s network defenses, causing a data breach, or other destructive acts.
The evolution of modern technology means thousands of such scam calls can be launched at the same time and the caller’s identity can be spoofed to make it look as if it is coming from a trusted source.
Strategic approach to vishing
Vishing is more complicated than it might seem. There isn’t a lone scammer calling a clutch of phone numbers hoping someone falls for their scam. Like all phishing activities, there is a lot of thought that goes into vishing:
- The scammer draws up a list of intended victims and gets to know them better by conducting focused research. The first step towards initiating a vishing call is often a phishing email sent to the victim to obtain their phone number. If the victims have shared their phone number with the scammer, the victims have developed first level trust with the scammer, and their suspicion levels go down. They lower their guard when the scammer proceeds to call them to phish for information.
- Scammers can also skip the phishing email and start making calls to multiple people at the same time. Again, scammers have to conduct some research into the victim and create a profile which they can then dissect to craft a message to convince the victim to share the required information or take necessary action to let the scammer in.
- When the scammer has a person on the phone, they begin the process of triggering certain emotions in the victim such as fear or greed. This persuades the victim to take certain actions urgently, without thinking through the potential consequences. As discussed earlier, this is typically sharing personal information or sensitive corporate information. It’s important to not take a phishing attack lightly – there is a huge amount of thought process that has gone behind it. The social engineering techniques used were not chosen randomly.
- After the victim shares key information, the scammer proceed to fulfill their objectives: stealing money from the victim’s bank account, making unauthorized purchases with the victim’s credit card information, or breaching the IT security of the victim’s organization.
Protecting yourself from vishing
Protecting yourself from a vishing attack is easy if you are able to recognize when you are being vished. You must be able to identify the “helpful” person at the other end as a scammer. They will claim to be a bank representative, someone from your organization, or even the police.
Always make it a point to confirm their identity. If the person claims to be with IT from your office asking you to share credentials to unlock your account, call your office to verify whether such a person actually exists. Authentication isn’t just calling your office and confirming if this person is a part of the organization. Confirm whether the information you are being asked to share should be shared.
In cases where the scammers claim to be from law enforcement, banks, or other key organizations, ask for information to verify their legitimacy. This could be a phone number, ID number, or anything else that will help verify identity.
Something else you should do is avoid falling into the trap of ‘urgency.’ If you receive a phone call urgently asking you to share sensitive information, take a step back, take a breath, and make sure you don’t put pressure on yourself to act. Avoid opening any email or clicking on any message this scammer will send to you as ‘follow up.’ It’s likely these emails or messages contain links that will download malware on your computer or phone, including ransomware or spyware.
The easiest way to avoid falling for vishing: just hang up if you have even the least bit of suspicion that it is a scam call.
Don’t respond, and you won’t be a victim.
Safeguard yourself from attacks
We are now spending more time on our computers than ever before because of the pandemic. Cybercriminals see unprotected home computers and smartphones as low hanging fruit for getting at sensitive data. We need to deploy the right security solution that delivers overarching protection to your PCs or Macs. With Sophos Home, you get the same powerful, business-grade security trusted by IT professionals to protect your home computers. It is easy to deploy, manage, and use. From advanced ransomware protection to cutting-edge AI malware detection, Sophos Home delivers advanced security that protects from known and unknown threats.