Advances in modern technology have created a playground for cyber criminals. Despite being invaluable to most of us, technology also presents multiple avenues to defraud individuals. One of these avenues is vishing.
In 2019 the FBI reported that vishing represented 24% of all attacks 1. It has been identified as one of the most successful methods of cyber breach, estimated to total a loss of $46.3 billion a year 2.
What is Vishing exactly? Vishing is essentially a socially-engineered technique 3. The term “vishing” is derived from “voice phishing” 4 and defined as a phishing attack conducted by phone, often targeting users of an internet telephone (VoIP) service 5. Vishing attacks are used to steal information or extort money 3 and can be carried out in a number of ways:
Can ‘vishing’ calls be recognised with caller ID? Not always, as vishing attacks will often spoof legitimate numbers to make you think the call is coming from a trusted source 3. This adds a faked layer of supposed authenticity which is designed to lull the victim into a false sense of security. The Financial Fraud Action UK has found one in twenty-five adults in the UK may have been a victim of vishing and 43% of these victims are over 50, proving anyone can be a victim 9:
Often the risk of an attack lies with an end user lacking knowledge of the threat. When Proofpoint asked 1000 end users in the UK what vishing was, 63% responded that they did not know 13. Vishing is a highly successful crime because victims do not have the time to think the situation through during the conversation and often unknowingly reveal information whilst mid-conversation. Bearing this is mind how do we thwart vishing attacks?
(1) CYBER AWARENESS TRAINING
We all are often guilty of being too busy to pay attention to detail, but this is where the weakest link exists. A cybercriminal takes advantage of human error and will often use familiar details to lower an individual’s guard and gather the information they need. To prevent this, it is best practice to provide your users with the training necessary for them to identify fraudulent calls and reduce the risk of anyone revealing sensitive information.
(2) BLOCK AUTOMATED CALLS
A vast majority of vishing attacks are carried out by bots before transferring directly to a call centre manned by the cyber criminal. There are legitimate call registry services you can sign up to that prevent your number from being called. One of them is the TPS, If you naturally get a fair few spam “have you been in an accident” calls without being vished it would also be beneficial to sign up.
(3) BE VIGILANT!
Googling an unsaved number is often beneficial as the majority of the time it can bring up a number of websites that collect complaints from individuals who would have also been targeted by a cyber criminal using that number. It is also good practice to not redial numbers and in fact call the correct number for that company or individual directly and double check if the message received is legitimate. That way you prevent interaction with a cyber criminal and can verify the problem.
(4) VISHING SECURITY TEST
Training and educating users is advantageous in preventing an attack. If you carry out vishing tests within your organisation you will be able to test your end users’ responses, allowing them to understand what a vishing attack may sound like, providing them the knowledge and tools to prevent a future attack.
If you need to report a suspicious call or any other type of cybercrime you can do so by contacting Action Fraud. If you would like to protect yourself or your business against vishing, please get in touch.