You may know about phishing attacks, when someone maliciously tries to gain sensitive information from you through email, but have you ever heard of a vishing attack?
Vishing, or voice phishing, is a form of criminal fraud conducted over the phone. Vishing attacks attempt to gain access to private personal and financial information to reap financial rewards. However, thieves also use vishing calls to gather information about an organization and its employees in sophisticated, targeted “spear vishing” attacks.
Vishing attacks are designed to connect on an emotional level. Attackers will try to trick you into making bad decisions by creating scenarios that might make you feel fear, concern or excitement. The voice-to-voice, personal connection can make vishing attacks seem more believable. Attackers may try to sound stern or authoritative, using legal jargon or technical details to seem more official. Attackers may also work in teams, including other people in the conversation who pose as a manager or spouse, for example. Attackers may also take an opposite approach to get you to let your guard down like pretending to be helpless and overly polite.
Spear vishing attacks are often coordinated, well-organized efforts. In these cases, cybercriminals often impersonate people and organizations you know or have worked with. They can also disguise the source of incoming calls using a technique known as “spoofing.” This alters the caller ID and makes the call seem as though it’s coming from a trusted source. In addition to using multiple callers, they may use multiple media sources to further legitimize their efforts. For example, a well-publicized attack recently targeted new, remote employees at some of the world’s largest organizations. Callers claimed to be members of an organization’s IT department, troubleshooting problems with the employee’s virtual private networking (VPN) software.
Attackers are prepared, so you need to be, too. Here are four ways to protect yourself and your organization:
- Whenever possible, avoid answering calls from unknown numbers.
- If you feel the need to confirm the legitimacy of a call or voicemail, use a known or official number to follow up. Never use a contact phone number that is provided in an email, text message or voicemail. (If you think it might be legitimate, ask for their name, look up the phone number for that institution or organization, call that number and ask for the person.)
- If a call sounds confusing or seems suspicious, hang up.
- Report suspicious work-related calls to your security team and manager. Follow local or regional recommendations for reporting fraudulent calls received on personal devices.