Imagine youโre a busy telephone operator at a mobile company. You get a call from a harassed-sounding woman. You hear a newborn howling in the background.
Sheโs flying later today and desperately needs to sort some admin. Her husband has asked her to log into their mobile provider account, but she canโt remember which email address she needs.
Sheโs sounding shaky and close to tears. Sheโs sorry about babyโs screaming. Meanwhile, little angelโs turning it up to 11.
You feel bad for the mother. And stressed yourself. Your ears feel red under your headset and theyโre starting to itch.
You give her the husbandโs email address.
Then she asks if sheโs on the account.
โNo.โ
โThatโs weird,โ she says. โMy husband said he added me.โ
After a few wobbles from her and screeching from baby, you add her to the account and reset the account password to her preference.
BOOM!
Youโve just fallen for a vishing scam. Because there was no mother. No husband. Not even a baby. (That was a piece of YouTube audio.) There was just a scammer. And theyโve managed to manipulate you to pass on confidential details and lock the account owner out.
The above scenario is real and was played out for illustration purposes at Def Con, a Las Vegas hacking convention.
Vishing scammers are the Hollywood stars of the scamming world. Actors and confidence tricksters with scary powers of persuasion and an incredible success rate โ one cyber security firm that stress-tests businesses claims that 80โโโ90% of victims fall for this kind of attack.
In this post, weโre going to deconstruct who vishers are and what they do, so you and your team can see beyond the dazzling performance and spot a scam.
What is Vishing?
A vishing attack is a cyber security threat that tries to steal information or money over the phone. (Like other similar threats, it is often referred to as a social engineering cyber attack.)
Typically, the attacker will have collected sensitive information about the victim, to make their attack more plausible.
This could be as simple as searching Google or LinkedIn for names, email addresses and phone numbers. Or it could use information harvested from a previous attack and even a spoof website to deceive the potential victim.
Vishing is also often used as part of a ransomware attack, in which your information is encrypted or stolen and then reinstated only after paying a hefty ransom. (Find out more about ransomware prevention.)
What is Vishing Compared to Phishing?
Phishing typically involves sending a fraudulent email to a victim and requesting them to click a malicious link, to harvest confidential data such as logins.
Vishing is similar, but the attack is executed over the phone in person by the fraudster.
(Smishing, meanwhile, is a third โshingโ (surely more will come) that uses SMS to encourage victims to click a link and divulge sensitive data or install damaging software.)
So How Does a Vishing Attack Typically Play Out?
It can be incredibly sophisticated. And we recommend that you read this section closely, because getting an understanding of the methodologies will help you remain alert for clues to a bad actor at work.
At its simplest, a vishing attack involves a confidence trick call in which a criminal comes prepared with a few publicly available facts about an individual or company from the internet. For instance, they will use peopleโs names, numbers and emails etc to gain trust. For example, โI spoke to Karen Smith in accounts and she saidโฆโ
This is old-school confidence trick territory and people fall for it again and again.
Not me, you say? Maybe, maybe not. But vishing can also play out with an incredible level of sophistication and preparation.
Hereโs an example of a methodology from a company that launches these attacks to stress-test a businessโs defences.
Itโs an approach that would not be considered untypical.
1. Visher searches on LinkedIn for a new employee at a large organisation (where people will typically not all know each other) and an associated phone number and email. Letโs call the company LetMeIn.
2. They buy a domain and email address similar to the companyโs. For instance, letmeincompany.com and helpdesk@letmeincompany.com.
3. They clone aspects of the LetMeIn website and create what appears to be an employee log-in page to a gated area of the business.
4. The visher calls the new employee using a spoofing service that allows the call to look like any number they want it to, such as LetMeInโs help desk.
5. They tell the user they are setting up a new training portal and need them to log-in. Meanwhile, they send the user the spoof URL to the โtraining portalโ log in, using the spoof LetMeIn helpdesk email.
6. The spoof log in page harvests the userโs details as they input them. It then takes them to a plausible exit page and the visher ends the call.
7. The visher now has log-on details to launch an attack.
Bear in mind, the attack would come from what appeared to be a company phone number, a company email and a login page perfectly replicating the companyโs branding.
Could you โ in a momentโs weakness โ get fooled?
Tell Me Some of the Typical Things I Should Look Out For
While vishing can play out in a variety of ways, there are some common themes that could alert you to the fact youโre being scammed. From the list below, the first two are above and beyond the most important. If you pay attention to them, youโll weed out most attacks.
Look out for:
- Unsolicited calls in which someone tries to extract information from you. This is the number-one sign you are subject to a scam.
- Heightened emotions. If you become anxious or worried during a call where you are asked for information, thereโs a good chance you are being scammed. Criminals use our emotions to encourage us to make rash decisions.
- Calls from authority figures such as a government official.
- Tech support calls about updates or repairs. (A common trope among vishers.)
- A call from your boss asking for sensitive information over the phone. AI is now able to replicate a personโs voice after receiving a voice sample. Unfortunately, there is no guarantee that a call from your boss is from your boss. As AI becomes more sophisticated, we expect cyber criminals to use more ever more powerful vishing tools to carry out successful AI vishing. The only way to stay ahead of this threat is to ensure you invest in robust cyber security protection and training.
What Kinds of Organisations are Getting Hit by Vishing?
Itโs happening to all types of organisations, but the biggest recent high-profile example of a vishing attack was at US casino chain MGM Resorts.
A ransomware group called ALPHV declared, according to one report, that they used vishing to deploy โcommon social engineering tacticsโ to gain sensitive information from an employee. According to the group, this conversation took 10 minutes.
The criminals then caused havoc with slots, room security cards and other technology. Itโs rumoured that ALPHV demanded a ransomware payment which MGM Resorts reportedly refused to pay.
MGM Resorts had to endure a 10-day computer shutdown as a result. MGM Resorts has also revealed that the cyber attack is expected to cost them more than ยฃ100 million in lost earnings.
What Should I Do to Protect Our Business?
For employees in general:
- Never give personal or sensitive company information to anyone who contacts you unsolicited.
- Donโt click on email links if you donโt know the source.
- Where possible, donโt answer calls or texts from numbers you donโt know.
For technical teams and management:
- Itโs really important to carry out vishing simulations for the IT helpdesk to test your employeesโ vigilance. Where there are issues, training should be offered to IT teams.
- Ensure you have the latest antivirus and antimalware in place.
- Carry out regular cyber security awareness training with your people. Regular is the key here. Criminals are constantly updating their methods and you must keep your employees well informed and prepared.
Finally, the National Cyber Security Centre recommends that you report a scam phone call to help shut down criminals and spread awareness about their practices.
In England, Wales or Northern Ireland, visit www.actionfraud.police.uk or call 0300 123 2040. In Scotland, report to Police Scotland by calling 101.
Intersys is a specialist cyber-security provider that helps businesses, NGOs, schools and universities with all aspects of cyber security services as well as a fully managed SOC-as-a-service.
If you have been the victim of ransomware, take a look at how we can help you recover data from ransomware attacks.
To find out more about how we can help you, contact us on info@intersys.co.uk or call us on 020 3005 4440.