Vishing (voice-based phishing) uses phone calls or voicemails to trick individuals into revealing personal or corporate information. Vishing is a serious threat that lets adversaries gain a foothold into your company’s networks and direct access to your most critical data. Today’s sophisticated vishing techniques easily bypass many organizations’ prevention tactics, making vishing a rewarding option for attackers. As a result, security teams must understand how vishing targets their organization, the potential impacts on the business and how to best update their anti-phishing strategies.
This piece explains how to recognize, prevent and respond to vishing attacks and create an effective
anti-vishing program to improve awareness among employees and build cyber resilience.
How To Recognize a Vishing Attack
Common Vishing Techniques
Vishing or hybrid vishing (vishing combined with other social engineering attacks) begins with contact by email, text message or social media channel to request personal or financial information. Callers might: pretend to be from the company’s IT or finance department; impersonate an executive, business partner or federal agency; or claim to be from a software vendor used by employees at your organization. The caller then attempts to convince the employee to provide private information or take an action that will be used to compromise the company’s networks, gain access, or steal data or funds. Be suspicious of anyone who calls with a request that includes:
- Account issues: Vishing calls demand urgency or immediate resolution, and often threaten problems with IT, financial or vendor accounts, logins, software or hardware from sources difficult to verify.
- Information queries: Attackers may ask to confirm names, logins, passwords, birth dates, Social Security numbers, financial info and other identifying details. They may even provide partial information on coworkers or vendors to convince victims and obtain the info they need.
- VPN configurations: Attackers may ask an employee to sign into a “new” fake VPN site and gain internal VPN logins and credentials for direct access to the organization’s networks.
Respond and Recover from Vishing Attacks
Vishing sets the groundwork to launch other secondary crimes, including malware and ransomware, data and financial theft, malicious data deletion and general business disruption for spite. Hackers can sometimes manage to gain unrestricted access to your entire network, placing all the organization’s data at risk. Vishing and related phishing incidents must be reported when recognized so security teams can move quickly to respond. A solid security response plan that minimizes the potential
impact of a vishing attack on your business must include:
- Report incidents immediately together with the information disclosed to determine potential damage of the attack. Verify which financial institutions, vendors and federal agencies must be alerted, along with any partners or branches of the business that may be affected. Communicate the security threat so the organization is aware and can recognize other potential risks.
- Alert the incident response team to allow your organization to handle the vishing and resulting security incidents completely from the start. A comprehensive incident response plan should be in place well in advance and updated over time as new security threats arise.
- Determine if the business continuity plan should be triggered. A solid business continuity plan can be a robust living document, or a simple list of expectations to keep the business running.
How to Prevent Vishing Attacks
Vishing can often go undetected, and security awareness is critical because untrained employees may not recognize and report suspicious phone calls. Vishing attacks focus on high-value business targets, such as call centers, IT administrators, accounts payable, sales, HR, executive management and especially employees new to the company. Security teams should implement the following vishing prevention measures to protect their organization:
- Update security awareness programs with vishing test exercises to train employees on how to recognize and report vishing attempts. Train employees at all levels to pay attention by verifying caller identity and the authenticity of email links (hover over links first to confirm URLs). Advise all employees to refrain from texting sensitive information in social and messaging apps other than official company platforms.
- Use technology to block unknown numbers and add mobile apps to route calls to your company’s VoIP.
- Supplement native email security. Make sure anti-spam and anti-phishing solutions are current.
- Enforce MFA to limit access to sensitive data and prevent lateral movement within the network. If MFA has been implemented, harden your usage by deploying additional forms of authentication.
- Consider implementing a zero-trust security model and granting least privilege access based on verifying who is requesting access, the context of the request and the risk of the access environment.
- Restrict VPN connections by using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.
- Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains and help indicate other possible security threats.
Vishing attacks continue to increase, and organizational security awareness is your first and strongest defense. Organizations must have strict security protocols about exchanging information, especially as it pertains to IT, VPNs, logins, financial accounts and vendors. Train employees to verify all information requests, end suspicious calls and report such calls immediately. This helps IT security teams build effective anti-phishing programs to deter vishing attacks and keep the organization safe.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.