Vishing attacks were prominent in Q4 2022, increasing 142% from Q3 2022 according to the February 2023 Trellix Threat report. Vishing or “voice phishing” is the act of making fraudulent phone calls to manipulate a person. Attackers will target sensitive information that can lead to a data, network, or financial breach. When malicious actors call, they often employ social engineering tactics to trick their targets. They may pose as an authority figure, technician, or fellow employee. Such was the case for Twitter in the summer of 2020. Impersonating as internal Twitter employees, attackers made vishing calls to Twitter’s tech support and consumer services employees. Their instructions were simple – we need you to reset your password.
To add authenticity, attackers may “spoof” or fake their outgoing phone number. They may also use voice changers to conceal their identity or use artificial intelligence-based software to mimic authentic voices.
As you will see in the following news story, vishing led to the largest casino heist in Colorado history.
Vishing Monarch Casino
As reported by 9NEWS, a Monarch Casino cashier packed half a million dollars into a box and then drove off in a minivan. According to investigators, the cashier received a call on the casino’s phone from a man purporting to be Monarch’s head of operations. The “head of operations” told her there was a problem with a UPS order that would result in a breach of contract. She was then told to take $500,000 from the casino and bring it to St. Anthony’s hospital where it would be picked up and then delivered to a casino lawyer.
Commenting on the heist, Ron Kammerzell, a regulatory consultant for the gaming industry, said, “For something like that to happen, it would’ve had to defeat many different levels of casino controls within the property.”
The cashier told investigators she was aware of casino procedures but said she didn’t follow them because a “Casino Member” instructed her to do otherwise.
Test. Educate. Protect
The Monarch Casino heist highlights the need for each employee to receive security awareness training that focuses on social engineering tactics. Your company no doubt recognizes the need for such training but may find it difficult to implement. Social-Engineer’s Managed Vishing Service can fill this security gap for you.
Our Managed Vishing Service identifies risk and assesses vulnerability within your organization’s human network. Engagements focus on simulation of social engineering attacks, determining the potential for breaches and compromise of corporate assets. Hundreds to thousands of calls per month can be made to your employees by certified social engineers capable of pivoting and adjusting conversation like a real attacker. We do not use script-driven call center staff, and we never use robocallers!
Not sure yet if this service is right for you? We invite you to learn more about our dataset of vishing calls in the Social-Engineer State of Vishing Report. This report is the result of over 83,000 calls and countless hours ensuring our processes and data will help arm you with the best information about malicious social engineering attacks.
Don’t wait until it’s too late. Act now to protect your company’s brand reputation, money and assets, and sensitive information from malicious actors. Please contact us today for a Managed Vishing Service consultation.