This post is also available in: Vietnamese
Over the past two decades, the security industry has made significant strides in using technology to secure technological assets. However, the human factor in cybersecurity often remains overlooked. Consequently, cyber attackers have shifted their focus from targeting technology to targeting people. Among the various methods they employ, the three most common are phishing, smishing, and vishing. This blog series delves into these methods, the tactics and techniques used by cyber attackers, and how you can protect yourself.
What is Vishing?
Vishing, short for voice phishing, involves cyber criminals making phone calls to deceive individuals. Unlike phishing, which uses emails, vishing relies on phone calls or voicemail messages to trick people into revealing sensitive information, such as passwords or credit card details.
The rise in random voicemails and phone calls asking for passwords or payments is due to the difficulty organizations face in securing personal mobile devices. Security teams often lack the visibility and control over personal phones that they have over workstations, making mobile devices a vulnerable target.
Vishing attacks are challenging to identify and filter. As a result, when a cyber attacker calls a potential victim, the call is more likely to reach its target. Over the phone, attackers can create a sense of urgency and trust that is harder to achieve through email or text, making these attacks more effective and profitable.
Common Vishing Attacks
Vishing attacks come in various forms, but here are the most prevalent types:
1. Tech Support Calls Cyber attackers impersonate IT support, calling individuals and requesting their passwords to “reset” accounts. These attackers sound convincing and aim to manipulate victims into divulging sensitive information.
2. Government Agency Calls Attackers pose as government officials, claiming that the victim owes taxes and must pay immediately to avoid jail time. Their goal is to obtain credit card details and money.
3. Tech Support Callbacks Instead of making the initial call, attackers trick victims into calling them. This approach bypasses phone call filters and builds inherent trust, increasing the likelihood of success. They may send texts or emails prompting the victim to call a provided number, leading to the theft of information like PayPal passwords.
4. Automated Calls Automated calls, or robocalls, deliver messages about expired warranties, approved refunds, undelivered packages, or suspicious charges. These broad attacks target millions, akin to generic phishing emails.
Protecting Against Vishing Attacks
Despite the focus on phishing in many security training programs, voice-based vishing attacks require equal attention. Employees well-versed in email-based threats might overlook voice-based ones. Rather than detailing every vishing tactic, training should emphasize recognizing common indicators of vishing attacks, applicable to both vishing and other phishing methods.
Key Indicators of Vishing Attacks:
- Urgency: Calls that create a sense of urgency, pressuring victims to act quickly and make mistakes. For instance, the government will never call about overdue taxes; they send official documents by mail.
- Pressure: Calls that pressure individuals to bypass company policies, such as someone pretending to be IT support demanding a password.
- Curiosity: Calls that pique curiosity or sound too good to be true, like messages about undelivered packages or unexpected refunds.
- Tone: Calls that sound off, with the caller’s words or tone not matching those of a genuine coworker or friend.
Vishing is becoming a favored attack method due to its simplicity and effectiveness. By educating your workforce about vishing and its common indicators, you can significantly reduce the risk of falling victim to such attacks.
Source: https://www.sans.org/blog/a-tale-of-the-three-ishings-part-3-what-is-vishing/
About DT Asia
DT Asia began in 2007 with a clear mission to build the market entry for various pioneering IT security solutions from the US, Europe and Israel.
Today, DT Asia is a regional, value-added distributor of cybersecurity solutions providing cutting-edge technologies to key government organisations and top private sector clients including global banks and Fortune 500 companies. We have offices and partners around the Asia Pacific to better understand the markets and deliver localised solutions.