Imagine you’re a busy telephone operator at a mobile company. You get a call from a harassed-sounding woman. You hear a newborn howling in the background.
She’s flying later today and desperately needs to sort some admin. Her husband has asked her to log into their mobile provider account, but she can’t remember which email address she needs.
She’s sounding shaky and close to tears. She’s sorry about baby’s screaming. Meanwhile, little angel’s turning it up to 11.
You feel bad for the mother. And stressed yourself. Your ears feel red under your headset and they’re starting to itch.
You give her the husband’s email address.
Then she asks if she’s on the account.
‘That’s weird,’ she says. ‘My husband said he added me.’
After a few wobbles from her and screeching from baby, you add her to the account and reset the account password to her preference.
You’ve just fallen for a vishing scam. Because there was no mother. No husband. Not even a baby. (That was a piece of YouTube audio.) There was just a scammer. And they’ve managed to manipulate you to pass on confidential details and lock the account owner out.
The above scenario is real and was played out for illustration purposes at Def Con, a Las Vegas hacking convention.
Vishing scammers are the Hollywood stars of the scamming world. Actors and confidence tricksters with scary powers of persuasion and an incredible success rate – one cyber security firm that stress-tests businesses claims that 80 – 90% of victims fall for this kind of attack.
In this post, we’re going to deconstruct who vishers are and what they do, so you and your team can see beyond the dazzling performance and spot a scam.
What is Vishing?
A vishing attack is a cyber security threat that tries to steal information or money over the phone.
Typically, the attacker will have collected sensitive information about the victim, to make their attack more plausible.
This could be as simple as searching Google or LinkedIn for names, email addresses and phone numbers. Or it could use information harvested from a previous attack and even a spoof website to deceive the potential victim.
What is Vishing Compared to Phishing?
Phishing typically involves sending a fraudulent email to a victim and requesting them to click a malicious link, to harvest confidential data such as logins.
Vishing is similar, but the attack is executed over the phone in person by the fraudster.
(Smishing, meanwhile, is a third ‘shing’ (surely more will come) that uses SMS to encourage victims to click a link and divulge sensitive data or install damaging software.)
So How Does a Vishing Attack Typically Play Out?
It can be incredibly sophisticated. And we recommend that you read this section closely, because getting an understanding of the methodologies will help you remain alert for clues to a bad actor at work.
At its simplest, a vishing attack involves a confidence trick call in which a criminal comes prepared with a few publicly available facts about an individual or company from the internet. For instance, they will use people’s names, numbers and emails etc to gain trust. For example, ‘I spoke to Karen Smith in accounts and she said…’
This is old-school confidence trick territory and people fall for it again and again.
Not me, you say? Maybe, maybe not. But vishing can also play out with an incredible level of sophistication and preparation.
Here’s an example of a methodology from a company that launches these attacks to stress-test a business’s defences.
It’s an approach that would not be considered untypical.
1. Visher searches on LinkedIn for a new employee at a large organisation (where people will typically not all know each other) and an associated phone number and email. Let’s call the company LetMeIn.
2. They buy a domain and email address similar to the company’s. For instance, letmeincompany.com and firstname.lastname@example.org.
3. They clone aspects of the LetMeIn website and create what appears to be an employee log-in page to a gated area of the business.
4. The visher calls the new employee using a spoofing service that allows the call to look like any number they want it to, such as LetMeIn’s help desk.
5. They tell the user they are setting up a new training portal and need them to log-in. Meanwhile, they send the user the spoof URL to the ‘training portal’ log in, using the spoof LetMeIn helpdesk email.
6. The spoof log in page harvests the user’s details as they input them. It then takes them to a plausible exit page and the visher ends the call.
7. The visher now has log-on details to launch an attack.
Bear in mind, the attack would come from what appeared to be a company phone number, a company email and a login page perfectly replicating the company’s branding.
Could you – in a moment’s weakness – get fooled?
Tell Me Some of the Typical Things I Should Look Out For
While vishing can play out in a variety of ways, there are some common themes that could alert you to the fact you’re being scammed. From the list below, the first two are above and beyond the most important. If you pay attention to them, you’ll weed out most attacks.
Look out for:
- Unsolicited calls in which someone tries to extract information from you. This is the number-one sign you are subject to a scam.
- Heightened emotions. If you become anxious or worried during a call where you are asked for information, there’s a good chance you are being scammed. Criminals use our emotions to encourage us to make rash decisions.
- Calls from authority figures such as a government official.
- Tech support calls about updates or repairs. (A common trope among vishers.)
- A call from your boss asking for sensitive information over the phone. AI is now able to replicate a person’s voice after receiving a voice sample. Unfortunately, there is no guarantee that a call from your boss is from your boss. As AI becomes more sophisticated, we expect cyber criminals to use more ever more powerful vishing tools to carry out successful AI vishing. The only way to stay ahead of this threat is to ensure you invest in robust cyber security protection and training.
What Kinds of Organisations are Getting Hit by Vishing?
It’s happening to all types of organisations, but the biggest recent high-profile example of a vishing attack was at US casino chain MGM Resorts.
A ransomware group called ALPHV declared, according to one report, that they used vishing to deploy ‘common social engineering tactics’ to gain sensitive information from an employee. According to the group, this conversation took 10 minutes.
The criminals then caused havoc with slots, room security cards and other technology. It’s rumoured that ALPHV demanded a ransomware payment which MGM Resorts reportedly refused to pay.
MGM Resorts had to endure a 10-day computer shutdown as a result. MGM Resorts has also revealed that the cyber attack is expected to cost them more than £100 million in lost earnings.
What Should I Do to Protect Our Business?
For employees in general:
- Never give personal or sensitive company information to anyone who contacts you unsolicited.
- Don’t click on email links if you don’t know the source.
- Where possible, don’t answer calls or texts from numbers you don’t know.
For technical teams and management:
- It’s really important to carry out vishing simulations for the IT helpdesk to test your employees’ vigilance. Where there are issues, training should be offered to IT teams.
- Ensure you have the latest antivirus and antimalware in place.
- Carry out regular cyber security awareness training with your people. Regular is the key here. Criminals are constantly updating their methods and you must keep your employees well informed and prepared.
Finally, the National Cyber Security Centre recommends that you report a scam phone call to help shut down criminals and spread awareness about their practices.
In England, Wales or Northern Ireland, visit www.actionfraud.police.uk or call 0300 123 2040. In Scotland, report to Police Scotland by calling 101.
To find out more about how we can help you, contact us on email@example.com or call us on 020 3005 4440.