In any cybersecurity chain, hackers can easily target the weakest link using social engineering attacks like phishing is the human. One of the numerous technology-based phishing attacks used by criminals is vishing.^[1] However, there is a global rise in vishing attacks over the past few years. In 2018, scam calls were about 30% of all incoming mobile calls.

Vishing is the combination of voice and phishing used by hackers to trick victims into giving up their sensitive personal information. Furthermore, a vishing attack is hard to detect by the victim as you cannot easily know the person at the other end of the call.

This is why we come up with this article to help break down everything you should know about vishing simulations, from what is vishing to how you can prevent a voice phishing attack.

What Is Vishing?

Vishing is a type of attack used by hackers to trick potential victims into divulging their sensitive, personal and confidential information over the phone.^[2] Although a voice phishing attack may look like an old-fashioned scam, it can also involve automated voice simulation technology.

How Does Vishing Work?

Voice phishing attack occurs when a person or an AI place a phone call to a potential victim using the guise of an emergency or sense of urgency to confirm your details or identity.^[3] During the attack, the attacker can also ask for more information from you. Voice phishing attacks may not always be a negative situation. It can also be news that you potentially won gifts, money, trips, etc.

The major reason for a vishing simulation is to get information like personally identifiable information (PII), medical information, or other sensitive data that can be used to commit identity theft and fraud. The scammer will want you to give the information to them over the phone quickly before you even realize that you are being scammed, hence the reason for urgency.

Examples Of Vishing Scams

Here are some examples of vishing attacks_[4].

Telemarketing Fraud

This is the process where the scammer will cold-call you without having any background knowledge on you and will try to make an offer that is too good to be true. They may make offers that you have won the lottery, a free vacation, a reduction in your credit card interest, etc. However, they will ask you to pay an upfront cost before getting the “free” money.

Tech Support Fraud

This is an example of a voice phishing attack where the scammer will try to trick a technologically naïve victim that they are being hacked. The scammer can use pop-up ads that look like a warning from the operating system to trick the victim into cyber attack and call the scammer to help mitigate the attack.

The scammer will then be paid to fix a problem that was not even there in the first place.

Compromised Bank Or Credit Card Account

Here, a scammer can call you or use a prerecorded message to trick potential victims into an issue with their account or the payment they made. The scammer will then ask you to make a new payment or send your login credentials to help fix the problem.

Government Impersonations

This is the process where the scammer tricks you that there is a problem that is blocking the benefits that the potential victim should be receiving like Social Security payments, Medicare, etc. The scammer will then offer to help fix the issue by asking the victim to tell them their personal information like social security number, bank account number, etc.

How to Spot a Vishing Scam?

It can be quite hard for some people to detect when they are being tricked.^[5] However, here are some warning signs that you can use to spot potential fraud.

In many cases, scammers can masquerade themselves as bankers, computer technicians, police, or even victims just to trick you. However, you can determine if the caller is legitimate by asking them to provide information to help you verify their identity. It is also important that you verify their legitimacy independently using an official public phone number to call the organization in question.

Another way that you can spot a vishing scam is the sense of urgency. Scammers use a sense of urgency to trick you into giving information to them quickly before you even realize that you are being scammed. Whenever this happens, you can take deep breaths and just write down the information provided by the caller without giving out any personal information.

Another way to detect a vishing attack is when the scammer tries to confirm your personal information like your name, address, bank account information, birth date, security number, etc. The scammers usually do their own reconnaissance to gather some information to make you believe that they are legit. However, their main goal is to get the remaining sensitive and confidential information that they don’t have.

How to Prevent Vishing Attacks

Although you don’t have to be paranoid about becoming a vishing scam victim, you should also be careful.^[6] Here are some ways that you can use to prevent vishing attacks:

Sign Up For The Do Not Call Registry

This is a freeway that consumers can use to stop unwanted sales calls. By signing up for the Do Not Call Registry, the registry helps alert telemarketers on who they cannot call. However, you may still receive calls from the companies that you do business with regularly. You will also receive political calls, debt collections, surveys, and informational calls.

Block Robocalls

Robocalls are automated phone call that delivers a recorded message. Scammers usually use robocalls to make large numbers of calls in a matter of minutes to help increase their chance of reaching a real person. You can block robocalls automatically using the National Do Not Call Registry.

However, this cannot stop scammers as they ignore the registry. You can then manually block malicious numbers from your smartphone.

Hang Up The Call

Once you discover that you are answering a vishing phone call, you can just hang up and block the number. Avoid calling back the number as it will connect you with the scammer again. Instead of calling back, you can look up the correct number from the organization’s website or phone directory.

Avoid Pressing Buttons Or Responding To Prompts

You may get an automated message that requires that you press buttons or respond to a question, don’t do it. For example, you may get a message that asked you to say yes if you want to take with an operator or press a certain number to be removed from their list. Scammers normally use these tricks to identify potential targets and will focus more on them. Furthermore, the scammer can record your voice and use it later to navigate voice-automated phone menus that are connected to your accounts.

Educate Your Staff

The best way to curb phishing attacks in any organization is by educating your staff about how hackers can exploit a weakness in the organization. The cybersecurity team can teach all the employees about the common tactics used by hackers like phone spoofing, persuasion, creating a false sense of urgency, etc.

What Do You Do If You Become A Victim of Vishing

Once you give your personal information to a scammer, the best thing to do is inform the respective institution of a potential breach. For instance, if you give out your financial information to a scammer, you should call your financial institution to help freeze your account to avoid losing money.

Defend Your Organization Against Vishing with Aware

The best way organizations can protect themselves against vishing attacks is by hiring a certified professional against such threats.[7] The certified professional can help organize some mandatory, regular security awareness training programs for the entire staff. This can include the best practices for general safety and set policies like who to report to in case of a suspicious event or rules of how a certain sensitive communication can be handled.

One of the best vishing simulation exercises that the cybersecurity team can use for awareness training is Aware’s vishing simulations. The simulation is designed to help test your employees the same way that a cybercriminal can trick them into revealing sensitive information. This can include best practices for general safety and also to define policies like the rules on the way that certain sensitive communications can be handled.

References