Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Vishing attacks (phishing via phone) have become a serious infosec threat impacting both public and private sectors across every vertical. Vishing techniques are increasingly sophisticated and can now more easily bypass many organizations’ prevention
tactics to exploit employees. Security teams must understand how the latest vishing methods target their organization, the risks involved, and how best to update their anti-phishing strategies.
This piece provides an overview of current vishing attack techniques and how they impact businesses to help identify attacks and build a comprehensive anti-phishing strategy.
In the past, vishing focused on convincing consumers to divulge sensitive information, like banking account info, credit card numbers or passwords. As reported by the FBI, vishing attacks have aggressively targeted business since the shift to remote work—leaving
both remote and office employees at greater risk. To make matters worse, many security teams are not adequately prepared for a vishing attack and its resulting impact on the business.
Vishing attacks usually begin with a call to an employee’s business or mobile number, and they often end by funneling the employee’s sensitive information directly to the attacker. However, much work goes on behind the scenes to execute
a successful “vish.”
Vishing attacks gained traction against businesses in early 2020, when a notorious vishing campaign targeted specific companies through fake VPN sites to gain internal VPN logins. Attackers created employee profiles with social engineering tactics and
posed as an IT employee using spoofed numbers. They advised victims to sign into the “new” VPN page, and once they did, hackers stole their credentials and used them to access the organizations’ networks.
This method together with a lack of in-person verification made VPN attacks very rewarding and instantly popular for attackers. A prime example was the Twitter account breach in mid-2020, which used social engineering and vishing focused on well-known
public figures and resulted in major bitcoin fraud. Similar techniques worked successfully on several different industries, and now vishing attackers work as groups, offering less-skilled attackers a range of specialized services, from intel
gathering to voice acting.
Vishing attackers are highly trained and organized, and use increasingly creative tactics to take advantage of vulnerable security protocols and trusting employees. Besides VPN campaigns, other traditional vishing techniques include:
Vishing can have a deep impact to an organization, beyond just stolen login credentials, passwords, account numbers and proprietary data. For example, it can lead to ransomware attacks when the visher sells the stolen credentials on the dark web. Vishing
also lays the groundwork for hackers to launch other secondary crimes including:
Hackers can sometimes manage to gain unrestricted access to your entire network, placing all the organization’s data at risk.
READ: Understand the Differences Between Spear-Phishing and Phishing
Vishing tends to fly under the radar. Fake VPN sites disappear after an attack and employees may not report suspicious phone calls. Vishing attacks focus on high-value business targets, such as call centers, IT administrators, accounts payable, sales,
HR, executive management and especially employees new to the company. An initial vishing prevention checklist includes:
READ: How to Conduct Vishing Test Exercises
Vishing attacks are so well organized and executed that security teams should work now to ensure employees are properly trained and have a security strategy in place. Awareness is your first and strongest defense against vishing. Training should include
strict security protocols about exchanging information, especially around IT VPNs, logins and financial accounts. Let employees know it’s OK to end suspicious calls and report the call as a vish. This helps IT security teams build effective
anti-vishing programs to stop vishing before it causes damage.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 19, 2023
By IANS Faculty
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.
September 14, 2023
Learn how to use a three-step approach to defending and managing public and private APIs while avoiding common mistakes.
September 12, 2023
Understand the main differences between first- and second-gen SAST tools and learn how to determine which will work best for your environment.