Vishing spikes as workforces go remote: 6 vishing prevention tips anyone can follow
Introduction
With thousands of teams worldwide being asked to work remotely to help contain the spread of COVID-19, scammers have a fertile ground to prey upon telecommuters. One scam that workers probably weren’t warned about is vishing. This is a type of fraud where adversaries use the phone and social engineering techniques to obtain confidential information from individuals — often financial information.
While less common than email phishing attacks, the scam poses a real threat. In this article, we’ll explore the concept and learn how to prevent vishing.
Phishing simulations & training
The different techniques of vishing
Vishing can be attempted in various ways. For example, fraudsters can have a real person on the other end of the call who is trying to scam you, or they may automate the scam with assistance from a robot.
For companies and remote teams, scammers are more likely to get a real person on the line. They may warn you about suspicious or fraudulent bank transfers or mention that they’re calling from IT support. The aim is to gain remote access to systems or lure you into giving sensitive information about your company.
To get an idea of how this might play out in the real world, here’s a video from GetSafeOnline.org showing audio reconstructions from actual phishing attempts.
Vishing typically relies on VoIP (Voice over Internet Protocol) technology and caller ID spoofing. Scammers “spoof” a number, making the victim’s caller ID display a trusted contact. Beyond that, they simply rely on the personal touch of a human voice and an unsuspecting target to make the attack successful. If a scammer already has access to some of the victim’s personal data (which they may have sourced from the dark web or another scam), they can easily mimic a conversation that a person would expect to get from a legitimate source.
Newer technologies, such as deepfakes, are also sparking concerns over the protection against phishing. Now remote workers also need to watch out for AI-based vishing where malicious actors use software to impersonate the voice of a key figure at their company. Oversight in this area could result in workers losing their jobs and their companies taking a financial hit.
Real-world examples of vishing
Krebs on Security covered a worrying story of a near-successful phishing attempt. Panic Inc. founder Caleb Sasser told the source that an attacker managed to spoof his phone number to match his bank, and claimed to be contacting Sasser to help reverse some potentially fraudulent charges. Because the bank was offering to mail a new ATM card, Sasser went as far as entering a new PIN into his phone, only to pull back at the last minute. Had he not realized the call was a scam, the scammers would’ve been able to copy his PIN and carry out transactions freely.
In another instance, hackers managed to use AI-based phishing to scam a UK-based energy firm. An adversary used voice generation software to impersonate the accent and tone of a German executive who works at the UK company’s parent firm (situated in Germany) to get the UK subsidiary’s CEO to transfer funds to a Hungarian supplier, with the guarantee that the money will be reimbursed immediately. This helped the malicious actor squeeze $243,000 from the company. The sum transferred to the Hungarian bank account was subsequently shifted to Mexico and then distributed to other countries.
Fraudsters are becoming so good at spoofing that even the most tech-savvy people can be tricked into sharing confidential information. It’s no wonder that they see the new wave of remote workers as the low-hanging fruit. Remote workforce newbies are unaware of the best practices that experienced remote workers know well, such as how to prevent vishing by staying calm and vigilant.
How to prevent vishing
You’ll find plenty of advice when you search how to prevent vishing attacks. Here are the most effective steps to take:
- Sign up for the National Do Not Call Registry: The National Do Not Call Registry offers a way to stop unwanted sales calls. Once you join the registry, you can expect it to take up to a month for the calls to stop. This will help keep you safe from vishers who pose as telemarketers to keep their identity hidden.
- Be aware: Always remember that a legitimate business doesn’t make unsolicited requests for financial or sensitive information over the phone. Anyone who makes such a request is probably trying to steal your credentials. If someone tries forcing you into sharing your personal information, hang up.
- Verify their identity: Scammers who execute a vishing campaign will always contact you before you contact them. If any company or person you know in real life calls you and creates a sense of urgency, hang up and call that business or person back yourself, using the number you typically dial to reach them. If they share a call-back number, ignore it and search for the firm’s official public business number instead.
- Download a caller ID app: Caller ID apps like Truecaller can help increase your smartphone’s call blocking and detection capabilities. Once installed, the app will block confirmed spam numbers (there are over two billion spam numbers present in Truecaller’s database) and allow good numbers to go through. If a certain number ends up being a vishing attempt, you can add it to the app’s database manually.
- Be mindful of prompts: If you receive an automated message asking you to respond to questions or press buttons, don’t do it. Scammers do this to gauge the responsiveness of their targets so that they can cast a wide net for robocalls. Your best defense is to ignore such requests and activate the filter/blocking system on your smartphone.
- Take security awareness seriously: Educate yourself and your coworkers about potential vulnerabilities and scams. Tell them to verify the caller’s identity, hang up if he/she requests confidential information and be wary of emotional manipulation.
Conclusion
Unsolicited calls can throw a wrench into your growth plans, but you can always recover with help. Keep up to date on the latest scam techniques and learn how to prevent vishing as soon as you can. While the attacks are crafted to trick you, you can stay ahead of the malicious actors by understanding the red flags that point towards vishing.
See Infosec IQ in action
Sources
- Reconstruction of actual vishing call to a small business - Archie Hicks, Get Safe Online (YouTube)
- Voice Phishing Scams Are Getting More Clever, Krebs on Security
- National Do Not Call Registry, Federal Trade Commission
In this Series
- Vishing spikes as workforces go remote: 6 vishing prevention tips anyone can follow
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness