It seems like every month, there’s a new cybersecurity threat businesses have to safeguard against. Vishing is just one form of phishing, but instead of receiving a fraudulent email or text, the scam will begin through a voice call…hence the V in vishing.
A More Thorough Vishing Definition
Vishing is when a scammer tries to make would-be victims do something that would compromise their personal cybersecurity or that of their business. Vishers will sometimes use fraudulent phone numbers, social engineering methods, psychological tricks, and even voice-altering software to try to fool their target. Smishing — scams that use SMS text messages — is sometimes paired with vishing attempts.
What’s the Difference Between Phishing and Vishing?
Both vishing and smishing fall under the larger umbrella of phishing scams, where a hacker is trying to trick their target into doing something they shouldn’t, like revealing sensitive information or clicking on a compromised link. These scams are also carried out on social media, which is more specifically known as social media phishing.
The Hidden Dangers of Social Media Phishing
Giving away information about yourself on social media can allow attackers to build up a profile on you. This information can be used to impersonate you online, over email, or even the phone. It may even potentially compromise your accounts. So if you routinely respond to public posts that ask you the model of your first car, your kindergarten teacher’s name, the street you grew up on, and more…you’re making it pretty easy for hackers to guess the answers to frequently asked password-retrieval questions. Social engineering techniques are used to make this type of scam very appealing.
Pro tip: One way to protect against this threat is to use fake responses when setting up password-retrieval questions. Just make sure that you are remembering or securely documenting your answers.
Recent Vishing Scams
Cybercriminals are constantly evolving their techniques, and vishing scams have also changed over time.
1. The “Helpful” Social Security Admin Call
One day, you get an official-sounding or automated phone call that appears to be coming from the Social Security Administration. Should you stay on the line, you’d be strongly encouraged to call someone else. That person might then pressure you to reveal sensitive account information, all under the pretense that they were helping you resolve an urgent issue.
2. The Scary Amazon Fraud Department Call
You may get a call from someone claiming to be from Amazon because they’ve allegedly noticed suspicious activities on your account. When you get good and freaked out, they’ll ask you to help them cancel the order by giving them a whole bunch of data, like account credentials or your credit card information.
3. Just Your Everyday, Psychic Tech Support
You’re just minding your own business when you get what seems like an urgent call from someone who says that one of your smart devices has been hacked. Wow! How did they know!? Not to worry, though. If you call a certain number, they’ll help you fix it! When you call, the rep may ask you to pay them through a gift card or a wire transfer, try to coerce you into giving them sensitive information, or ask you to click on a link that lets them inside your device.
4. The Impersonated Employee
This one just happened to MGM Resorts, and it’s costing them over $52 million in lost revenue! A hacker successfully impersonated a member of the organization, did their research, and called their IT support. Because the hacker already knew the employee’s password and other information, like their Social Security and driver’s license numbers, it was easy to convince them to reset MFA factors for super admin accounts. Once inside, the hacker unleashed total chaos.
5. The Overdue Invoice
You get a call from someone who says they’re from an organization that your company does business with. They explain that one of your business’s invoices is now overdue. Of course, this needs to happen immediately due to blah, blah, blah, which is why you need to make a wire transfer.
How did this scammer know that your company does business with this organization? This low-tech scam might have started that way, too — they probably went through your trash.
How To Defend Against Vishing
These scammers often try to override any suspicions you might have by scaring you or otherwise requiring urgency — so you act before you’ve had time to think. Be on the lookout for any of that behavior, and if someone ever pressures you to act quickly on a call you didn’t initiate, that should raise some red flags.
Here are a few additional tips:
- Be slightly wary of any call you didn’t initiate, even if it looks like it’s coming from an organization you trust. Hackers can fool caller IDs into showing that a call is coming from a different number, like a trusted organization, an employee, or even a friend
- Shred any documents containing sensitive information, including the companies your organization does business with
- Require two-person approval for invoice payments at your business and have a process to review, confirm, and approve any changes related to payment account numbers
- Sign up for the National Do Not Call Registry to opt out of telemarketing calls
- Don’t engage with callers from unfamiliar numbers, even if they look like they’re coming from your area. Once you answer, scammers will know your number is active, and you’ll receive more scam calls
- Even if you believe your bank or another trusted organization is calling you, and even if they seem to know a lot about who you are, don’t reveal any sensitive information over the phone. If they insist something bad is happening on your account, hang up, and call the organization’s main number yourself
- Be VERY wary of anyone who demands to be paid through a gift card, prepaid debit card, cryptocurrency, wire transfer, money transfer, or by mailing cash
- The instant you suspect a call may be suspicious, hang up the phone immediately. If a call really is coming from your bank, they’ll understand
The Importance of Employee Training
Every single one of us has careless moments or times when our emotions get the better of us. And hackers are always evolving their techniques, and once one scam doesn’t work anymore, they’ll just try a different angle. It’s extremely frustrating, but like most other crimes, basic safety precautions go a long way.
If your organization doesn’t currently provide ongoing security awareness training, it’s time to start. We’re all human, and according to KnowBe4’s most recent Phishing by Industry Benchmarking Report, roughly ⅓ of us are highly phish-prone. That same report, however, found that regular training can reduce those odds dramatically.
Of course, YOUR staff is too smart to fall for some wire transfer scam...right? Don’t be so sure! Click below to read up on why simple scams still succeed at an alarming rate and how you can protect your staff and your business.