Menu
close
Call +44 (0)20 3005 4440
Intersys Logo
+44 (0)20 3005 4440
Call us now!
Menu
Close

Managed IT Support

A Reasonable, Fixed Monthly Fee for All Your IT Needs
Managed IT Support Provider

Consulting Services

The High Level IT Consulting Services You Need to Transform Your Business
Get IT Consulting Services

Cyber Security

A Comprehensive Range of Cyber Security Services for Robust, Industry-Leading Protection
Get Cyber Security Services

IT Solutions

Whatever your IT needs, we'll create a tailormade solution for you
Get IT Solutions

What is Vishing? And Why are Vishing Scammers the ‘Hollywood Actors of the Cyber Crime World’?

Filed under , ,
by Martin Philp on 09 October 2023

Imagine you’re a busy telephone operator at a mobile company. You get a call from a harassed-sounding woman. You hear a newborn howling in the background.

She’s flying later today and desperately needs to sort some admin. Her husband has asked her to log into their mobile provider account, but she can’t remember which email address she needs.

She’s sounding shaky and close to tears. She’s sorry about baby’s screaming. Meanwhile, little angel’s turning it up to 11.

You feel bad for the mother. And stressed yourself. Your ears feel red under your headset and they’re starting to itch.

You give her the husband’s email address.

Then she asks if she’s on the account.

‘No.’

‘That’s weird,’ she says. ‘My husband said he added me.’

After a few wobbles from her and screeching from baby, you add her to the account and reset the account password to her preference.

BOOM!

You’ve just fallen for a vishing scam. Because there was no mother. No husband. Not even a baby. (That was a piece of YouTube audio.) There was just a scammer. And they’ve managed to manipulate you to pass on confidential details and lock the account owner out.

The above scenario is real and was played out for illustration purposes at Def Con, a Las Vegas hacking convention.

Vishing scammers are the Hollywood stars of the scamming world. Actors and confidence tricksters with scary powers of persuasion and an incredible success rate – one cyber security firm that stress-tests businesses claims that 80 – 90% of victims fall for this kind of attack.

In this post, we’re going to deconstruct who vishers are and what they do, so you and your team can see beyond the dazzling performance and spot a scam.

What is Vishing?

A vishing attack is a cyber security threat that tries to steal information or money over the phone. 

Typically, the attacker will have collected sensitive information about the victim, to make their attack more plausible. 

This could be as simple as searching Google or LinkedIn for names, email addresses and phone numbers. Or it could use information harvested from a previous attack and even a spoof website to deceive the potential victim.

What is Vishing Compared to Phishing?

Phishing typically involves sending a fraudulent email to a victim and requesting them to click a malicious link, to harvest confidential data such as logins.

Vishing is similar, but the attack is executed over the phone in person by the fraudster.

(Smishing, meanwhile, is a third ‘shing’ (surely more will come) that uses SMS to encourage victims to click a link and divulge sensitive data or install damaging software.)

So How Does a Vishing Attack Typically Play Out?

It can be incredibly sophisticated. And we recommend that you read this section closely, because getting an understanding of the methodologies will help you remain alert for clues to a bad actor at work.

At its simplest, a vishing attack involves a confidence trick call in which a criminal comes prepared with a few publicly available facts about an individual or company from the internet. For instance, they will use people’s names, numbers and emails etc to gain trust. For example, ‘I spoke to Karen Smith in accounts and she said…’

This is old-school confidence trick territory and people fall for it again and again.

Not me, you say? Maybe, maybe not. But vishing can also play out with an incredible level of sophistication and preparation. 

Here’s an example of a methodology from a company that launches these attacks to stress-test a business’s defences.

It’s an approach that would not be considered untypical.

1. Visher searches on LinkedIn for a new employee at a large organisation (where people will typically not all know each other) and an associated phone number and email. Let’s call the company LetMeIn.

2. They buy a domain and email address similar to the company’s. For instance, letmeincompany.com and helpdesk@letmeincompany.com.

3. They clone aspects of the LetMeIn website and create what appears to be an employee log-in page to a gated area of the business.

4. The visher calls the new employee using a spoofing service that allows the call to look like any number they want it to, such as LetMeIn’s help desk.

5. They tell the user they are setting up a new training portal and need them  to log-in. Meanwhile, they send the user the spoof URL to the ‘training portal’ log in, using the spoof LetMeIn helpdesk email.

6. The spoof log in page harvests the user’s details as they input them. It then takes them to a plausible exit page and the visher ends the call.

7. The visher now has log-on details to launch an attack.

Bear in mind, the attack would come from what appeared to be a company phone number, a company email and a login page perfectly replicating the company’s branding.

Could you – in a moment’s weakness – get fooled?

Tell Me Some of the Typical Things I Should Look Out For

While vishing can play out in a variety of ways, there are some common themes that could alert you to the fact you’re being scammed. From the list below, the first two are above and beyond the most important. If you pay attention to them, you’ll weed out most attacks.

Look out for:

  • Unsolicited calls in which someone tries to extract information from you. This is the number-one sign you are subject to a scam.
  • Heightened emotions. If you become anxious or worried during a call where you are asked for information, there’s a good chance you are being scammed. Criminals use our emotions to encourage us to make rash decisions.
  • Calls from authority figures such as a government official.
  • Tech support calls about updates or repairs. (A common trope among vishers.)
  • A call from your boss asking for sensitive information over the phone. AI is now able to replicate a person’s voice after receiving a voice sample. Unfortunately, there is no guarantee that a call from your boss is from your boss. As AI becomes more sophisticated, we expect cyber criminals to use more ever more powerful vishing tools to carry out successful AI vishing. The only way to stay ahead of this threat is to ensure you invest in robust cyber security protection and training.

What Kinds of Organisations are Getting Hit by Vishing?

It’s happening to all types of organisations, but the biggest recent high-profile example of a vishing attack was at US casino chain MGM Resorts. 

A ransomware group called ALPHV declared, according to one report, that they used vishing to deploy ‘common social engineering tactics’ to gain sensitive information from an employee. According to the group, this conversation took 10 minutes.

The criminals then caused havoc with slots, room security cards and other technology. It’s rumoured that ALPHV demanded a ransomware payment which MGM Resorts reportedly refused to pay. 

MGM Resorts had to endure a 10-day computer shutdown as a result. MGM Resorts has also revealed that the cyber attack is expected to cost them more than £100 million in lost earnings.

What Should I Do to Protect Our Business?

For employees in general:

  1. Never give personal or sensitive company information to anyone who contacts you unsolicited.
  2. Don’t click on email links if you don’t know the source.
  3. Where possible, don’t answer calls or texts from numbers you don’t know.

For technical teams and management:

  1. It’s really important to carry out vishing simulations for the IT helpdesk to test your employees’ vigilance. Where there are issues, training should be offered to IT teams.
  2. Ensure you have the latest antivirus and antimalware in place.
  3. Carry out regular cyber security awareness training with your people. Regular is the key here. Criminals are constantly updating their methods and you must keep your employees well informed and prepared.

Finally, the National Cyber Security Centre recommends that you report a scam phone call to help shut down criminals and spread awareness about their practices.

In England, Wales or Northern Ireland, visit www.actionfraud.police.uk or call 0300 123 2040. In Scotland, report to Police Scotland by calling 101.

Intersys is a specialist cyber-security provider that helps businesses, NGOs, schools and universities with all aspects of cyber security services as well as a fully managed SOC-as-a-service.

To find out more about how we can help you, contact us on info@intersys.co.uk or call us on 020 3005 4440.

Stay up to date with IT Industry news

Subscribe to our newsletter

Subscribe to our newsletter


In other news
April 22, 2024

Happy World Earth Day! (From a Provider Proud to Call Itself a Sustainable IT Company)

April 15, 2024

National Pet Month. Random Pics of Our Cats, Dogs, Rabbits and Geckos. What’s Not To Love?

March 28, 2024

Copilot for Microsoft 365: Just How Much is This AI Tool Going to Increase Your Business’s Productivity?

February 26, 2024

‘IT Companies Are Overpromising, Underdelivering Schmuks, Right?’ Errmm…

February 12, 2024

Pharmaceutical Cyber Security: The Threat, The Solution and the Need for a Specialist Provider

January 23, 2024

Stick it to the Man (In the Middle): How to Repel a New Cyber Attack That Uses Online Surveys

December 7, 2023

Is Switching IT Provider Achievable Without Huge Challenges?

December 4, 2023

A Haven of Hope

December 1, 2023

Cyber Security Year in Review 2023: New Threats, Big Breaches and Top Tips From Our Experts

November 23, 2023

Here’s Why Charities Loved Our Cyber Security Webinar

November 20, 2023

Browser Security Warning: The Software You Are Using to Read This Page Could Be Stealing Your Data

October 17, 2023

Is That QR Code Malicious? Here’s How to Find Out

October 5, 2023

How to Write a School Cyber Security Policy

September 12, 2023

Intersys Successfully Renews IS0 270001 Certification

September 7, 2023

Charity Cyber Security: the One Simple Thing Non-Profits Must do to Repel Attacks

August 7, 2023

Uh-Oh – ‘Evil’ Phishing Technique Can Beat Multi-Factor Authentication (MFA)

July 17, 2023

You Need to Shut Down THIS Microsoft Teams Security Flaw Now

June 27, 2023

What is Passwordless Authentication? And Why Should My Business Adopt it ASAP?

May 18, 2023

Password Security Tips for 2023 – Things Are Changing Big Time…

March 28, 2023

What is (Microsoft) Office 365 Hardening? (And Why Do I Need to Know About it Urgently?)

March 21, 2023

Meet The Most Worrying Bug Of 2023 So Far – Microsoft Outlook Vulnerability CVE-2023 – 23397

February 24, 2023

What is Social Engineering in Cyber Security and How Do I Prevent a Devastating Attack?

April 8, 2024

Microsoft 365 Webinar – When We Helped Charities Get the Most Out of Their Subscription

March 21, 2024

We’ve Joined the Service Desk Institute – And That’s Great News for Intersys Clients 

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram