In order to keep your personal and company data secure, it is important to be aware of cyber threats such as Vishing.
Much like Phishing, this scam involves tricking potential victims into disclosing information via a variety of methods over the phone.
This means Vishing is easily conducted and hidden among the vast amount of phone calls your company receives everyday.
No matter how big or small your business is, Vishers can attempt to penetrate your systems and networks to access your data, so you and your team must be alert at all times.
It is important that you and your company understand exactly how these attacks can occur, and how to detect and prevent them as much as possible.
Therefore, this blog post will provide you with an exact definition for what Vishing is, examples of how attacks can occur, and how to prevent scammers from stealing your personal or company information.
So, let’s get started.
What is Vishing?
Vishing is a type of phishing scam that is conducted by attackers over the phone or via voicemail.
Vishing, or ‘Voice over Internet Protocol Phishing,’ tricks victims into revealing or surrendering their confidential personal information, particularly financial details such as:
- Card details
- Social Security numbers
- Account numbers
Threat actors can use various tactics to con victims over the phone, or in their voicemail inboxes, in order to steal information for identity theft, or financial gain.
How Does it Work?
This type of scam can occur in different forms, as sometimes software can be used to steal information, whereas in other cases hackers may use scare tactics, or play with victims emotions.
These are just a few ways in which Vishers can attack your company data:
- VoIP – Voice over Internet Protocol technology allows threat actors to create fake phone numbers that appear to be from a trusted source, this means victims are more likely to share their information.
- Emotional leverage and scare tactics – it is easier for scammers to convey emotion over the phone than via email or text messages, and this can be the push that causes victims to hand over their information.
- War Dialing – with this method scammers can call hundreds of phone numbers at once within a specific area code, and when victims answer, an automated message will play from a fake institution or organisation.
Scammers can use one, or all of these methods when planning a Vishing attack, and they can be used within voicemail scams, fake client calls, and within Robocall software.
This leads us nicely onto our next section that provides some detailed examples of what Vishing may look like.
There are a few different examples of how Vishing attacks can occur, so it is important to be aware of them if you are going to successfully detect and prevent scams.
A Robocall is a type of software that feeds a pre-recorded call to every phone number in a specific area code.
All that is required is for potential victims to answer the call, and the automated message will ask for personal information posing as a known organisation such as a client, bank, or governmental institution.
The answers to these questions are then recorded through the Robocall software, and the information can then be used to steal financial information, or funds directly from accounts.
Caller ID Spoofing
For this method, scammers can use a specific software to create fake caller ID’s, for example a number that looks very similar to a legitimate company.
Vishers use these numbers to call potential victims, passing as a trusted institution, and therefore getting people to answer the phone.
In some instances if calls are left unanswered, hackers may leave a voicemail and incorporate a voicemail scam into this method too.
Voicemail scams involve using voice mail notifications to hack into personal or company accounts.
This example of Vishing involves Phishing too, as a hacker will send a Phishing email to a potential victim notifying them of an unopened voicemail in their inbox, instructing them to call them back.
However, they will provide a fake number, different to the company number originally used, so victims will call this number instead and end up on the phone with the scammer.
If the victim is still unaware, they will likely provide confidential information, thinking that the phone call is from a credible company.
The scammer can then go on to use this information to steal identities, and personal data.
Tech Support Call
This type of Vishing attack is widespread and common within large organisations, as some employees may not know all of the members of your IT support team.
Scammers will call potential victims and act as a member of tech support within your company, and they will inform them that they need to conduct an update, or a repair on their system.
If victims provide their password during the call, scammers can use this to further steal information from their network.
It must be part of your company practice that the tech support team will never ask for another employee’s password over the phone, instead they should meet in person in the workplace, or converse via the company emailing system.
Client call scams are conducted by scammers who find old invoices, and pose as one of your clients by asking for an invoice to be paid.
This Vishing method relies on a sense of urgency, and if victims are caught off guard they may be convinced to hand over information to get the invoice paid.
Those who answer the call may not take the time to verify the caller, due to the urgent or demanding language being used, and may just give the financial information away immediately.
Therefore, it’s crucial that companies have a two person verification system for over the phone invoice payments, this way all invoices and callers are approved before any money is released.
How to Detect Vishing
Vishing can be detected by looking out for signs that indicate the phone line isn’t safe, the caller is acting in a demanding way, or there is emphasis on providing confidential information.
If callers use a demanding tone it is good to be cautious, for example if they consistently ask for personal details while acting as a credible institution, such as a bank, or client.
This tone may be used alongside the request for personal information, which can apply pressure, and cause victims to feel obliged to surrender information.
Information requests should be calm and from a reputable caller, and any demands or pressure may be the sign of a scammer.
Equally, if any call you recieve is unexpected, it is important that you do not answer or answer with caution, so this means withholding personal information before you have verified the source of the call.
How to Prevent Vishing
As outlined above, there are some precautions you can take to detect Vishing, however it is a form of scamming that is particularly difficult to detect and prevent.
Some companies can use ‘No Caller ID‘ as part of their security system, so it can be difficult to know exactly who to trust, and who may be a potential scammer.
Therefore, we have provided a few ways below that you can be better prepared for Vishing scams, to better protect your company information.
Verify the Identity of the Caller
Before you answer any questions it is important to verify the identity of the person you are speaking to.
If you’re unfamiliar with the company or caller, this can be done by asking for details such as:
- A full name
- The company they work for
- Their employment position
- The contact number for their company
This way you can be sure who you are talking to and feel comfortable to share information if they need it.
However, it must be highlighted that it is much safer to provide confidential company information in person whether this is with a bank, the government, or another client, as the identities of all parties can be confirmed.
Equally, government agencies and institutions will rarely ask you to pay, or make a payment to you over the phone.
However, if you are required to provide details over the phone, while you are on the call you should cross check the number that’s calling, with the number of the company the caller is claiming to work for.
This way you can continue with the call upon checking the validity of the number, as you are then safe from attackers.
Pay Attention on All Phone Calls
When you are on a call with anyone, it is important to stay vigilant and pay attention at all times, as questions may slip your mind and you may reply out of habit.
Equally, if the call or message you are receiving is automated, don’t press any buttons in response to questions if you are unsure who the caller may be.
To protect your information, carefully listen to the tone and language being used by the caller, for example if they’re using time sensitive or persuasive language such as, “once in a lifetime opportunity” this may be a sign of a scammer.
Give Out Information With Caution
If an unknown number or no caller ID calls you, you should not give out any form of information to the caller.
Information can be anything from your name, to your credit card information, and if this type of data is revealed over the phone they are far more susceptible to being stolen and used by hackers.
If you have made the call, it is still essential to confirm the identity of the person you have called as anyone is at risk of being hacked, and once you are certain you are speaking to the correct person, you can feel safe providing information to them if needed.
Vishers are similar to Phishers, as they can often use fear tactics or threatening language to get information out of you.
If you are put into a situation like this, hang up the phone immediately and block the number in order to get out of the situation before you feel pressured any further, and give away personal or company information.
Be Suspicious of Unknown Callers or Numbers
Just as you shouldn’t give out any information to unknown callers, you should equally be cautious of answering the phone to numbers you don’t recognise.
As we mentioned earlier in the post, it is vital to cross-check numbers before even answering the phone, you can always ring the number back once you have checked and feel safe to do so.
It may be that hackers have emailed and called you, mixing Vishing and Phishing together to come across more convincing.
So, if numbers that call you are provided within an accompanying email too, this doesn’t necessarily mean they are trustworthy or the correct number for an organisation.
Often, all it takes is a quick check of a company website to confirm the number matches up, then you can continue the call, or call the number back feeling assured that the line is safe.
What Is Vishing and the Ways to Prevent It
Vishing can occur in a variety of ways, from voicemail scams, to fake client calls, however all of them can put your company data at risk.
Understanding Vishing and how to prevent it is important to keep company and personal information secure and off-limits from threat actors.
Ultimately, it is in your hands to ensure your company, client, and employee data is safe from theft.
All team members must be aware of the rules and practices for your organisation when it comes to handling phone calls that may be unsafe or pose a threat.
At TLR we help several companies become more aware of how to protect their data from theft, and understand how to detect cyber attacks. We can help your company feel safe from scammers, and feel prepared for unexpected phone calls, emails, or other breach attempts.
For further information about our services, and how we can help you to reduce the risk of threat to your company information, get in touch today.