Social Engineering News: Vishing

If an employee falls victim to a vishing attack it could potentially compromise an entire company. As the following statistics show, vishing is a serious social engineering attack vector facing enterprises:

• In 2021 alone, TrueCaller reports that Americans lost $29,800,000.00 to phone scams.
• As reported by First Orion, phone scammers were able to get 270% more personal information in 2020 than they did in 2019.

What Is Vishing?

At Social-Engineer, LLC we define vishing as the practice of eliciting information or attempting to influence action via the telephone. Criminals often combine vishing attacks together with phishing emails to create an enhanced sense of legitimacy for the target.

Image: https://unsplash.com/@austindistel

The following social engineering news stories show how criminals are vishing for victims.

• United Arab Emirates bank lost $35 million in a sophisticated bank heist using “deep-voice” technology. According to court documents, investigators in Dubai say the bank manager “received a phone call that claimed to be from the company headquarters. The caller sounded like the Director of the company, so the branch manager believed the call was legitimate.” The branch manager also received emails appearing to be from the Director relating to the phone call. Both by phone and email, the branch manager received instructions to transfer $35 million in a supposed company acquisition.

• Criminals spoofed the Henry Ford Health system name to steal patient data. Henry Ford Macomb Hospital operators have been fielding up to 200 calls a day from people saying they received a phone call from the Hospital. In some cases, the name of a former Henry Ford doctor is displayed on their caller ID.

• Microsoft Windows fake invoice scam starts with a phishing email so well-crafted it can fool experts. The bogus email includes a phone number which sets the stage for the real scam; criminals waiting to Vish the unsuspecting. If a person calls the phone number, the criminals try to get the target to download “helpful” software. In reality, that software gives the criminals remote access to the target’s computer and everything in it.

• Fraudsters are making cold calls claiming to be a Medicare “health care benefits advocate” who can help the target navigate the Medicare open enrollment sign-up process. The goal in this vishing scam is to get the target’s Medicare ID number.

• Criminals spoofed the Missouri State Capitol Police phone number. Numerous calls were made to people in Texas and Missouri attempting to get personal information.

Social-Engineer Vishing Service — Test, Educate, and Protect

Vishing attempts are difficult to monitor and trace. Because of this, attackers are increasingly using this attack vector to extract information and compromise organizations. Security audits that include simulated attacks utilizing fully-trained and certified social engineers such as Social-Engineer’s Vishing Service (SEVS), are an effective way to assess vulnerabilities.

The best way to ensure lasting behavioral change is to teach employees how to recognize and respond to vishing threats. After all, it only takes one vishing attack to potentially devastate an entire company. Please contact our team today for a quote.