Vishing: a growing threat against companies
You’ve likely come across the term phishing before. This is the name for a criminal technique to deceive an Internet user with a false message, usually to encourage the victim to download a malignant file or provide sensitive data. However, not everyone knows about the famous vishing, a fusion of the terms "voice" and "phishing", which denotes fraud utilizing telephone calls.
Less common than "traditional phishing", vishing has always been viewed by the information security community as a tactic more focused on harming the end user. However, over the past few years, we have seen an increase in the use of this fraud in campaigns against corporate environments, too, often with the intent of stealing intellectual property or extorting money through supposed charges to the finance department. Even the US Health Sector Cybersecurity Coordination Center (HC3) has issued an alert on the subject.
"Voice phishing, also known as vishing, is the practice of obtaining information or attempting to influence actions over the phone. Throughout 2021, HC3 noted a sharp increase in these attacks across all industries. Social engineering techniques continue to be successful in providing initial access to organizations, and the healthcare industry must remain alert to this evolving threat, with an emphasis on user awareness training", the agency emphasizes.
There is a why
There are a few factors that explain the increase in vishing attacks against corporations, and the main one is the popularization of remote work. With staff dispersed, employees often use their own smartphones and phone numbers to receive calls related to professional activities. As a rule, a human being is more susceptible to falling into the trap of a criminal employing social engineering during a conversation than when reading something written on a computer screen. After all, in conversations, we have less time to think and need to respond quickly.
As we said before, the motivations behind a vishing scammer can be manifold. This type of attack can be used to deliver malware, steal data, perform financial fraud, or simply cause disruption to company operations. If combined with business email compromise (BEC) - where a fraudster impersonates a CEO or another company executive - vishing is also a powerful weapon for extorting employees, especially those at a lower level.
Speaking of combinations with other malicious tactics, it is important to mention that vishing can occur in two ways. Most commonly, a victim gets a call from a scammer, though the victim may also be coerced through conventional phishing to call the criminals themselves. Usually, scammers find some way to convince the target that contact is required with a supposed customer service center, for technical support for some software used in the corporate environment, and so on.
How to protect yourself
Fortunately, it is not very difficult to spot a vishing attack, since its characteristics are similar to traditional phishing. Be wary if, during the call, the person on the other side of the line is rushing to "solve this urgent problem" or asks for too much information. Also, always remember that banks and government institutions, for example, never contact you requesting passwords or personal data, so beware of supposed spokespersons for these types of organizations.