Today, social engineering attacks are one of the most common cyber threats faced by organisations. They were used in 98% of cyber-attacks in 2021, while approximately 70% of IT personnel have observed employees getting tricked by them since the start of COVID-19. The effectiveness and prevalence of social engineering owe much to how it targets people’s flaws; it is the malicious act of psychologically manipulating individuals to perform certain actions or divulge sensitive information. This sort of cyber-attack has many variations, including phishing, honey traps, and baiting.
In the past two years, one type of social engineering has been receiving extra attention – vishing. The numbers speak for themselves: vishing attacks have more than quintupled in volume last year. This trend is even more worrisome with the discovery that vishing can triple the success of an average targeted phishing campaign. Hence, vishing is a rising menace that organisations must take precautions against with diligence.
Below, we have outlined the details of this rising social engineering attack and how organisations can defend against it.
Vishing is a portmanteau that blends the words ‘voice’ and ‘phishing’. Like phishing, the goal of vishing is to lure clueless individuals to disclose confidential information like their bank account PINs and login credentials for company accounts. Scammers can then abuse such crucial data to commit fraud, infect systems with malware or steal money. However, in contrast with phishing, vishing involves the usage of phone calls, instead of text messages and emails, to contact targets. There are also instances where vishing occurs after a phishing email is opened; scammers provide their phone numbers in such emails for victims to follow up on the emails’ sham content.
To disguise their identities, defrauders may leverage chatbots or voice-altering software while making calls. A more advanced and frightening version of the latter technology is voice cloning, which can tune scammers’ voices to sound like someone familiar to victims, such as their company’s CEO, to lower their guard. Caller ID Spoofing and Voice over Internet Protocol (VoIP) are also used by vishing criminals to conceal their identities or impersonate legitimate callers. The former involves falsifying caller ID information, such as listing themselves as ‘Unknown’. The latter is the creation of fake phone numbers that are hard to track and can appear local.
The usual vishing call proceeds as such: scammers will first falsely introduce themselves as representatives of a trustworthy organisation, such as the bank, government or police. It is also common for them to pose as technical support or customer service staff. While communicating with the victim, a fraudster will use a variety of persuasive techniques to manipulate them to share private information. They can try to build rapport with their call recipients, adopting a friendly persona to convince these targets that they are providing much-needed assistance. They can also go for a forceful approach, highlighting to victims that there are severe consequences to not following instructions, such as arrest, criminal charges, or terminated bank accounts.
Vishing attacks have skyrocketed during the COVID-19 pandemic, becoming so severe that the United States Federal Bureau of Investigation (FBI) released a Private Industry Notification (PIN) to warn companies about it. In the notice, the FBI cautioned that vishing phone calls would typically deceive employees of US and international companies into entering a phishing webpage. This action allowed threat actors to capture their username and passwords, gain greater network access, escalate the privileges of hacked accounts, and inflict heavy financial damage.
The significant rise in vishing during the COVID-19 era may be driven by the increased popularity of remote working; employees will often store valuable company information on personal devices such as their smartphones and laptops, as well as have remote access to their company’s resources. This is also a problem of Shadow IT, in which personnel are using unreported work tools that are neither assessed nor managed by their organisation’s IT department. Due to this, when employees’ devices are hacked in a vishing attack, it is harder for their company’s IT team to respond efficiently to the incident. This potentially results in higher losses for the business.
One such high-profile case of vishing occurred back in July 2020, with the social media platform, Twitter, as the victim. Vishing criminals masqueraded as technical support staff and managed to break into the technology company’s internal network and other systems. Thereafter, they targeted employees who had access to account controls and hacked into the accounts of high-profile individuals to share Bitcoin scams, conning victims of more than $100,000 in cryptocurrency.
The claim to represent a legitimate entity is a key component of a vishing attack’s emotional lure. As people typically trust familiar organisations or figures, especially those with authority, they are expected to be more compliant with requests from them. This behaviour pattern is what a vishing attack targets and leverages for unscrupulous means. As a reminder, neither official institutions, like banks or governmental agencies, nor your work colleagues will ever ask you for your sensitive data via email or phone, especially not in its entirety.
Stay wary of callers expressing a sense of urgency or exerting pressure on you to commit a certain action quickly, so as to resolve an issue that is time-sensitive in nature or bears serious consequences.
Another telltale sign of a vishing attack is if the caller asks to access your computer or other devices remotely.
Exercise caution when dealing with any form of request for sensitive information, especially when it happens out of the blue. No matter how official or confident the caller sounds, refrain from providing account numbers, PINs, login credentials or other information that typically should only be known by you. You should ensure the legitimacy of such requests by asking the callers for proof of their identity. And even if they do provide you with answers, remember to conduct a fact-check on their claims – before doing anything they say, call them back using a phone number listed on the official website and resources of the organisation they claim to represent.
It is in the best interests of your company to provide employees and third-party entities with only the access rights they need to fulfil their job responsibilities. These privileges extend to any access to the organisation’s network, resources, data, and other assets. Finally, it is advised that you conduct regular checks to verify if privileges correspond with organisational role changes, and if ex-employees have their access rights withdrawn. Carrying out these two actions will help to limit the extent of damage a vishing attacker can inflict upon your organisation’s system and network, even if they managed to hack into the work device of a present or past employee.
Holding cybersecurity education workshops periodically is indispensable to protecting your company and employees against many cyber threats. When teaching employees about vishing protection specifically, it is best to address the issue of responsible password and device management. Just as essential is to foster mindfulness in staff towards the type and level of information they publish on their social media accounts. Other important and general tips on how employees can defend against vishing can include:
• Avoid talking to strangers: Do not respond to phone calls from unrecognisable numbers. Calling back is also ill-advised. Instead, let the call go to voicemail and listen to the message carefully.
• Look out for social engineering tricks: Remember that scammers use scare and pressure tactics to make victims reveal sensitive information while in a state of panic. If employees do end up answering a threatening call from an unknown number, they should stay calm and avoid disclosing any private information about themselves or the company at all costs.
• Inspect potential vishing emails for irregularities: Scammers can give away their identity through the errors in their email’s spelling, language or tone, among other things. While checking the validity of a suspicious-looking email, refrain from clicking on any links and attachments or calling any phone numbers provided inside.
The key to developing a robust defence system against vishing threats is implementing multi-factor authentication (MFA) across your entire organisation. Since MFA requires users to pass extra layers of authentication, it defends employees’ accounts from being easily hacked even when their passwords are known by vishing threat actors.
Implementing technical security controls is essential to prevent, respond to, and dampen the impact of various cyber-attacks, vishing included. Standard security tools that you should utilise to protect your organisation and employees include antivirus software, endpoint detection and response solutions, and web filters.
As technologies evolve, so too do cyber threats. Vishing is only one of the many types of cybercrime to make the headlines in recent times, and organisations should brace themselves for more attacks to occur in the coming years. Thus, consider working with a reputable cybersecurity firm to keep your organisation secure for the road ahead.
At GROUP8, we are well-equipped to help businesses build a solid cybersecurity infrastructure, protect their critical assets, and be in control. As such, we provide a suite of industry-leading cybersecurity services in Singapore, including pen tests, that can be tailored according to your organisation’s needs. Do not hesitate to reach out to us at hello@group8.co to learn more.