What Is a Vishing Attack?
Vishing is a phone scam. Vishing, a voice phishing attack, is the fraudulent use of phone calls and voice messages using social engineering techniques to convince individuals to reveal private information such as bank details and passwords. A vishing attack can also be used against businesses when attackers pretend to be an internet service provider employee or tech support to gain access to that business’s passwords and information.
The word “vishing” comes from “voice” and “phishing,” which suggests that a fraudster is dangling a hook or a lure to get unsuspecting victims to reveal usernames, passwords, or credit card details, or download malware onto their devices.
Just last month 2 Las Vegas casinos, MGM and Caesars fell victim to cyber attacks, shattering the image of impenetrable casino security by a Vishing attack costing them millions and millions of dollars.
MGM was down for days, servers down, casino closed, employees and guests private information and credit cards exposed and because everything runs on technology, even hotel doors would not open with the key cards. All of this costing MGM millions of dollars a day in lost revenue.
Caesars paid the hackers over 15 million dollars to get their systems back up. All of this because of Vishing.
In the MGM case, it appeared that the hackers found an employee’s information on LinkedIn and impersonated them in a call to MGM’s IT help desk to obtain credentials to access and infect the systems.
You can read more about that here: https://www.nbcnews.com/tech/security/mgm-las-vegas-hackers-scattered-spider-rcna105238
You may not be a big business like MGM or Caesars, but you still have information that hackers want. Don't have the mind set, they are not interested in your business, because they are. Whether you have ten employees or hundreds, hackers do not care, they want your money. Just think about how many fake emails that come in to your inbox trying to trick you for information, no doubt they are trying to hack your company.
Security is only as good as the weakest link, and unfortunately, as in many cyberattacks, human behavior is the method used by cybercriminals to gain the access to a company’s crown jewels.
Who Are the Main Targets of Vishing Attacks?
When targeting a business, vishing attacks focus on new employees, human resources departments, IT departments and call centers. New employees and employees responsible for making calls to other organizations are at higher risk of being targeted. Vishing scammers will often pretend to be technical support and try to convince someone to provide access to computers. Sometimes these attackers will have potential victims install software with malicious code to gain further access to the business.
When targeting an individual, vishing attacks often focus on average consumers who are likely to have an account with a major bank or delivery service. Vishing attacks will often be vague on details to avoid revealing the attacker’s fraud. After all, convincing someone that their bank account is at risk doesn’t work if they name the wrong bank. Attackers will use fear, greed and panic to stop you from recognizing these attacks.
WHAT'S THE GOAL OF AN ATTACK?
The goal of a vishing attack is to convince the target to provide information the attacker can use for financial gain. This can range from stealing a credit card to stealing an individual’s identity. The goals of vishing when targeting a business are similar — for financial gain — but are often more interested in gaining information about security measures for future attacks.
Signs of a Vishing Attack
The main warning sign of a vishing attack is the caller asking for your information. Some attackers will already have partial information and use that to convince you to share what they don’t know. Always be wary of a caller asking for bank account information, your social security number or other identifying details.
Use of psychological tactics like fear, greed, and a sense of urgency. Threats of imminent arrest or urgent problems with your account are designed to make you act before verifying. Keeping calm when these calls happen and hanging up are the main ways to avoid vishing attacks.
Calling in regards to account issues or technical support. Many times messages will inadvertently pop-up on your computer stating your device is infected and to call a toll free number pretending to be technical support.
5 Types of Vishing Attacks
1. Wardialing: In a wardialing type of vishing attack, cybercriminals call specific area codes and use an automated message to instill fear in victims. They pretend to be a local bank, business or police station calling to verify that their accounts have not been compromised and typically ask for sensitive information like mailing address, bank account information, and even social security numbers.
2. VoIP: VoIPs are one of the hardest vishing techniques to identify because cybercriminals' hide behind a fake number. These numbers are typically 1800 numbers or fake numbers with the local area code.
3. Dumpster Diving: Dumpster diving is a technique not many think is used, but it’s exactly as it sounds. With this technique. Criminals search dumpsters behind banks or other important organizations to gather enough information to conduct a targeted attack towards a victim. Potential information they can gather includes type of account information, phone number, or email and proceed with social engineering techniques with the attack.
4. Caller ID Spoofing: This type of vishing attack is similar to VoIP, with the difference that the caller id, instead of showing a number, shows a message “IRS” or “Police Department”.
5. Technical Support: Scammers will pretend to be someone from customer support from big companies like Apple, Microsoft, or Bank of America. It is important to remember that banks will never ask you for personal information such as social security numbers or passwords over the phone.
How to Recognize Vishing
It's sometimes difficult for people to tell when they are being vished. Victims often don't realize the helpful person on the other end of the phone is conning them until after they've handed over their credentials. However, there are some warning signs that can help them spot potential frauds.
In many cases, callers are self-appointed experts or authorities in their fields. They can masquerade as computer technicians, bankers, police, or even victims themselves.
However, if these callers are legitimate, it shouldn't be difficult to authenticate their professional affiliation with a simple phone call. If they can't — or won't — provide the information necessary to verify their identity, they can't be trusted. If they do provide contact info, it's still important to independently verify the legitimacy by using an official public phone number to call the organization in question.
Vishing Prevention -
Cybersecurity Awareness for Employees
You should include the following points in your cybersecurity awareness training:
1. Never reveal personal data
Vishing attacks are designed to trick the target into revealing personal information, which attackers can use for other attacks or fraud. Do not give any caller personal or company Information, even if they know some of your personal information already. Scammers can steal personal information from other sources or find it on the dark web and will use what they know to trick you into giving them more. The fact that a caller knows something about you or your company is not enough of a reason for you to trust them. Never give a multi-factor authentication (MFA) number, password, financial data, or similar details over the phone.
2. Always check phone numbers
Vishers may call you posing as representatives of a legitimate organization. Before you provide any personal information or follow a caller’s instructions, get their name and make sure you can contact them through an official company number. Do not trust caller ID numbers. Criminals are routinely spoofing legitimate numbers of established companies and services. If the caller attempts to dissuade you from doing this, it’s likely a scam.
3. Organizations do not accept payment via prepaid or gift cards
Vishers often ask for payment for amounts the victim supposedly owes in the form of prepaid cards or gift cards. No legitimate organization will request a prepaid credit or gift card as
4. Never give remote computer access
Vishers could request remote access to your computer under the guise of removing malware or fixing some issue. You should never grant anyone access to your computer, unless they are a verified member of your IT department.
5. Don't give out Network passwords
Just don't do it, vishers use social media to find out employee names and call in acting like your tech support to obtain passwords to your servers and network. Once the hackers have this information, they have access to lock you out, steal your data and charge you ransom to get your system and data back. Kappa will never call you and ask you for your network passwords. We know them!
6. Report suspicious incidents
Vishers typically repeat the same scam on several targets. Report suspected vishing attacks to authorities or security staff at your organization, ensuring they can protect other targets.
Reach out to Kappa Computer Systems immediately if you think you may have given access to your pc or have provided passwords to someone by accident. The quicker you reach out the quicker we can help mitigate the damage.
Growing businesses need fast, effective IT support. Do you just want your computer system to do what it's supposed to do? Do you sometimes feel like your IT support company doesn't understand how important that is to your business, then you found the right IT company. Kappa Computer Systems has spent over 25 years helping clients from all shapes, sizes, and industries get better results from their technology. Kappa partners with our clients to deliver long-term value. Call today to see how we can help you with your IT support needs.
Kappa's blog is listed on the Top 15 Florida Technology Blogs: https://blog.feedspot.com/florida_technology_blogs/?feedid=5574423