What is a vishing attack and what does it look like?

Vishing attacks can take many forms, but the hallmark of vishing is unsolicited phone calls to your employees. Usually these phone calls claim to be from a legitimate organization that your business might already be doing business with. More sophisticated vishing attacks will also spoof caller ID. Here are some examples of vishing attacks:

AppSec/API Security 2022
  • The bank scam. In this vishing attack, someone calls a representative from your company, pretending to be from the bank that processes your paychecks. The scammer then claims that something went wrong with the payments: there may have been an error or a data breach. In this scam, the ultimate goal of the scammer is to obtain your company’s banking information (which may include usernames, passwords, bank account numbers, etc.).
  • The tax scam. We’ve all received those robocalls claiming to be from the IRS. Most of these vishing attacks are not very sophisticated, opting instead to contact as many people in as short a period of time as possible, but some of them spoof legitimate IRS phone numbers on the identification of the recipient’s caller.
  • Technical support. Vishing attacks can also impersonate your own company. This is especially common in spear-phishing and whaling attacks. The scammer typically pretends that some of the work needs to be done on an employee’s computer, then directs the recipient to a fraudulent website, where they download malware that infects their computer, potentially compromising the entire network.

Companies that run inbound call centers are particularly vulnerable to vishing attacks because they handle a high volume of calls daily, and many have policies that prohibit workers from hanging up. If you operate an inbound call center, be sure to establish user verification and train your call center employees on the threat vishing poses to your business.

Examples of Real Vishing Attacks

Vishing attacks can devastate even the largest companies. Here are some examples of how vishing has changed the landscape for companies doing business on the internet.

  • Perhaps the most famous the vishing attack was against Twitter in 2020. This attack targeted 130 verified Twitter accounts of public figures, eventually tweeting from 45 of them and wreaking havoc on well-known public figures.
  • In 2015, Dr. Thamar Eilam Gindin (an Israeli expert on Iran) received a phone call requesting an interview with the Persian branch of the BBC. That phone call directed her to a Google Drive document that asked for her password. Once the attackers got his password, they were able to access his entire account,
  • Also in 2015, a UK law firm lost over £750,000 following a targeted vishing attack. This ultimately led to the attorney in charge of the practice losing her license to practice law.
  • In 2020, a vishing attack targeted AT&T. The scammers posed as customers wishing to switch mobile operators. This attack compromised AT&T users’ passwords and financial information, as well as directly stealing money from users’ accounts.

How do I protect my business against vishing?

Unfortunately, there is no way to prevent scammers from trying to call your business. There are two main ways to mitigate the effects of vishing: you need to train your employees to recognize the signs of a vishing attack, and you need to implement technical solutions to stop the calls from going through in the first place.

It’s always a good idea to have regular security awareness training for all employees in your company, regardless of their title or responsibilities. The look of this training will vary depending on the size and particular needs of your business, but regardless, you will want to train your employees to never provide sensitive information over the phone. Explain to them the forms that phishing and vishing attacks can take. If you have it in your company’s budget, consider running a phishing simulation to see how many of your employees fall for it. The results can be surprising.

On the technical side of the spectrum, you can prevent fraudulent calls from reaching your employees in the first place. You want to choose an anti-vishing protection solution that will scale with your growing business and automate as much as possible.

What should I do if my business is a victim of phishing?

If your business has been the victim of a vishing attack, the first thing to do is change the credentials (such as usernames and passwords) that were compromised. Keep regular backups of all company technology. If your company’s payroll information has been compromised, you’ll also want to create new accounts with the bank. Alert your employees to the vishing attack, as it may be the first step in a multi-pronged attack. Finally, you should report the vishing attack to law enforcement (especially the Federal Trade Commission and the Internet Crime Complaint Center).

*** This is a syndicated Bolster Blog Security Bloggers Network blog written by Bolster Research Labs. Read the original post at: https://bolster.ai/blog/https-bolster-ai-blog-protect-your-business-from-vishing-attacks/