Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Vishing attacks (phishing via phone) have become a serious infosec threat impacting both public and private sectors across every vertical. Vishing techniques are increasingly sophisticated and can now more easily bypass many organizations’ prevention
tactics to exploit employees. Security teams must understand how the latest vishing methods target their organization, the risks involved, and how best to update their anti-phishing strategies.
This piece provides an overview of current vishing attack techniques and how they impact businesses to help identify attacks and build a comprehensive anti-phishing strategy.
In the past, vishing focused on convincing consumers to divulge sensitive information, like banking account info, credit card numbers or passwords. As reported by the FBI, vishing attacks have aggressively targeted business since the shift to remote work—leaving
both remote and office employees at greater risk. To make matters worse, many security teams are not adequately prepared for a vishing attack and its resulting impact on the business.
Vishing attacks usually begin with a call to an employee’s business or mobile number, and they often end by funneling the employee’s sensitive information directly to the attacker. However, much work goes on behind the scenes to execute
a successful “vish.”
Vishing attacks gained traction against businesses in early 2020, when a notorious vishing campaign targeted specific companies through fake VPN sites to gain internal VPN logins. Attackers created employee profiles with social engineering tactics and
posed as an IT employee using spoofed numbers. They advised victims to sign into the “new” VPN page, and once they did, hackers stole their credentials and used them to access the organizations’ networks.
This method together with a lack of in-person verification made VPN attacks very rewarding and instantly popular for attackers. A prime example was the Twitter account breach in mid-2020, which used social engineering and vishing focused on well-known
public figures and resulted in major bitcoin fraud. Similar techniques worked successfully on several different industries, and now vishing attackers work as groups, offering less-skilled attackers a range of specialized services, from intel
gathering to voice acting.
Vishing attackers are highly trained and organized, and use increasingly creative tactics to take advantage of vulnerable security protocols and trusting employees. Besides VPN campaigns, other traditional vishing techniques include:
Vishing can have a deep impact to an organization, beyond just stolen login credentials, passwords, account numbers and proprietary data. For example, it can lead to ransomware attacks when the visher sells the stolen credentials on the dark web. Vishing
also lays the groundwork for hackers to launch other secondary crimes including:
Hackers can sometimes manage to gain unrestricted access to your entire network, placing all the organization’s data at risk.
READ: Understand the Differences Between Spear-Phishing and Phishing
Vishing tends to fly under the radar. Fake VPN sites disappear after an attack and employees may not report suspicious phone calls. Vishing attacks focus on high-value business targets, such as call centers, IT administrators, accounts payable, sales,
HR, executive management and especially employees new to the company. An initial vishing prevention checklist includes:
READ: How to Conduct Vishing Test Exercises
Vishing attacks are so well organized and executed that security teams should work now to ensure employees are properly trained and have a security strategy in place. Awareness is your first and strongest defense against vishing. Training should include
strict security protocols about exchanging information, especially around IT VPNs, logins and financial accounts. Let employees know it’s OK to end suspicious calls and report the call as a vish. This helps IT security teams build effective
anti-vishing programs to stop vishing before it causes damage.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
February 29, 2024
By IANS Research
Access key data sets from the 2023 -2024 IANS and Artico Search’s Cybersecurity Staff Compensation Benchmark Report. Gain valuable insights on cybersecurity staff roles to hire and retain top security talent.
Access key data from IANS and Artico Search’s Compensation, Budget and Satisfaction for CISOs in Financial Services, 2023-2024 report. Find valuable insights around the Financial Services CISO role to help better understand your situation, improve job satisfaction and drive organizational change.
February 21, 2024
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.