Skip to main content
Vishing

Vishing on the Rise

By March 15, 2023No Comments

Over the last few years, we have seen a concerning rise in vishing. Vishing is the practice of eliciting information or attempting to influence action via the telephone. Statista reports that according to surveys of IT professionals conducted in 2020 and 2021, nearly 7 of 10 IT professionals reported having received a vishing call in 2021. This is a 54% increase since 2020. Not only is vishing becoming more prolific, but entire call centers are now being dedicate to it! One such call center was recently discovered in Ukraine, where 40 people were arrested in connection with malicious vishing. What does that mean for you and your company?

First, the statistics above show that you need to be aware that vishing is a realistic threat to your company. Secondly, you need to be proactive in protecting your employees against it. There are a couple of ways you can go about doing this; education and training/testing. You’ve already taken a great first step with education by reading this article. By taking a few minutes at a time you can learn not only what this potential threat to your company is, but also what techniques attackers can use against you. Let’s look at some of those techniques now.

Emotional Triggers

Malicious vishers use various emotional triggers to motivate their target to action. An emotional trigger is anything that sparks an intense emotional reaction, regardless of your current mood. Since we are all susceptible to emotions, we can all be susceptible to vishing attacks given the right emotional and environmental triggers. Let’s look at some of the emotions that malicious vishers attempt to induce via emotional triggers and discuss ways they may leverage them.
Vishing on the Rise

Fear

Fear is an extremely powerful emotion when leveraged skillfully. Malicious vishers use this all the time. For example, one very common vishing scam has the caller posing as the IRS. The malicious caller makes the target fear that they are in trouble with the government. Now that the target feels fear, they are more easily influenced to take the action the caller wants them to take.

Curiosity

Leaving something unanswered can act as a prompt for action. For example, the visher may say something along the lines of “we have an internal website set up that includes all the information. Let me tell you how to access it.” The visher could then direct the target to the malicious website and collect a variety of information and/or exploit the target machine for remote access.

Sympathy or Assistance Themes

Sympathy or Assistance themes are huge in vishing because humans, in general, enjoy being helpful. Because of this, asking someone for help is a simple and effective way to elicit that assistance. Be on your guard if you sense an unknown caller trying to garner your sympathy or asking for help.

Shutting Down a Malicious Caller

These are just a few of the emotions malicious vishers may attempt to influence you to feel. Being aware of these tactics can help you keep your emotions in check if you feel yourself getting caught up in the moment on a call with an unknown caller. Take a moment to pause, and really think about what the caller is asking you to do or trying to get you to feel. Sharing this information with your employees is a great start to the educational process of understanding vishing. Here are some helpful steps to shutting down a malicious caller that you can share with your employees:

  • Ask for name, company, title, and phone number. Be aware that advanced attackers may have legitimate numbers to call back, so verification of that number may also be a necessary step.
  • Do not use caller ID alone to verify. Attackers use spoofing technology. If the call appears to be from an internal number, verify their employee ID first.
  • Know what tech support and HR can ask for over the phone.
  • Know how these departments are supposed to verify themselves.

Vishing on the rise

Training/Testing

Although sharing what you have learned thus far is a great first step, more is needed. By far the most successful way to prevent your company from succumbing to a vishing attack is with training and testing. Testing your employees with live, safe vishing calls is the best way to teach them how to shut down malicious callers. This hands-on training with real callers shows them how to handle these situations and prepares them for a time when your company may be the one targeted.

Written by: Shelby Dacko

At Social-Engineer LLC, our purpose is to bring education and awareness to all users of technology. For a detailed list of our services and how we can help you achieve your information/cybersecurity goals please visit:

https://www.social-engineer.com/offensive-security/

Images:
https://www.consumercellular.com/blog/how-to-create-a-3-way-call-on-a-mobile-phone/
https://www.psychologytoday.com/intl/blog/emotions-in-the-field/202209/being-expert-in-emotion-4-key-characteristics
https://www.ruby.com/blog/how-to-end-a-phone-call/

Tags:

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now