Vishing and how it impacts your SMB
When discussing social engineering campaigns, phishing takes center stage. But while phishing presents a serious threat and the go-to method for threat actors, other dangers still linger. Vishing is the attempt to bypass network security through voice calls and deceptive messages. It’s grown in prominence with the expansion of remote work and the use of VoIP calls.
However, vishing is vastly more dangerous than its phishing counterpart. Phishing is sent via email or messages with characteristics making them easy to identify. A critical eye or IT expert will route out phishing and will establish security protections in case of a potential intrusion. 2FA for example creates an extra layer of defense in case a phishing attempt is successful, but vishing effectively circumvents that since it relies on human error.
Vishing isn’t new – telemarketing and scammers have relied it on before the surge of phishing. But with more workers near a desk and phone, especially in remote environments, hackers find vishing incredibly useful. But no longer are vishing attacks routed in obvious scam attempts whereby a caller asks for personal information like social security or makes claims the recipient is the winner of a prize. Now, vishing calls claim to be IT support or trusted experts to achieve success.
Example of a vishing attack
In phishing schemes, recipients discover emails or messages containing alerts prompting them to click a link or download a file. The idea is to incite an immediate emotional reaction to bypass caution and therefore achieve success.
Vishing follows a similar structure. Impersonation of trusted brand names or identities leads to cyber breaches, or so the goal is. What if a user doesn’t recognize a malicious caller? What if a malicious caller impersonates an IT member, support, or even a vendor from a software company? Once the call is made, the impersonator will claim an emergency event has occurred and they need access to “support” the system. Or, impersonators will claim they’re providing support and require the listener to download a program, such as software that gives remote access to the computer system.
Vishing attacks are not random, either. They profile their targets to increase their chances of success based on either stolen information or malicious tracking. While it’s not a guarantee their vishing schemes will work, it’s a concerning strategy to remain aware of.
Impersonating trusted end-point users
The trick of vishing is impersonation. By collecting details of staff members, they can make the calls and use collected data to appear as legitimate callers. Threat actors won’t be obvious, they can answer common prompts and other basic questions the unwary staff worker may not recognize. This is especially the case for remote work scenarios.
Remote workers won’t always have IT support on standby, and may not recognize common phishing or vishing attempts. They might not be aware that scammers are attempting to make malicious calls at all. Given their usual responsibilities, cybersecurity isn’t always a priority. If they lack identity verification tools or have no means to identify a caller, the success of a vishing attempt skyrockets.
Identifying vishing attempts and threat-actors
As vishing and social engineering attacks are on the rise, identifying and stopping them before a successful intrusion is critical. If not already, your organization should have a protocol for proper identification of callers claiming to be staff or other trusted organizations, especially if you take advantage of remote working resources.
Identification can be a home-baked process where workers will have the means to identify each other (like a certain passphrase for messages). Using third-party software identification tools is also an option – such as a service desk tool. These suites contain a range of options for identifying incoming messages and creation of one-time use codes.
There’s a range of cyber-attacks out there, vishing no exception. As network technology changes, so too will these attacks, evolving with trends.
If your SMB is under pressure from social engineering attacks and vishing attempts, it’s time to seek help. For more information about third-party assistance, contact Bytagig today.