Anyone who grew up in the days of landline phones and star 67 knows that manipulating people over the phone is a time tested source of entertainment for bored kids. However, sometimes those kids grow up and continue to deceive people over the phone, using their skills to scam organizations and individuals.
These phone scams have become a lucrative way to earn a living for attackers skilled at conning people into handing over valuable information, from proprietary information to bank account logins. Through a method known as vishing, criminals well versed in social engineering can hack organizations without any technical computer knowledge. None of us wants to think we'd fall for a scam, but vishing scams are deceptively hard to recognize.
What is Vishing?
Vishing, also known as "voice phishing," is a type of fraud where a criminal uses voice messages to access data, steal identities, and hijack other resources. Vishing can be thought of as the telephone version of phishing. Instead of email being used as the attack vector, the phone is used to execute a vishing attack.
A typical vishing attack uses caller ID spoofing, a tactic that allows a foreign attacker to place a call and make their phone number appear as if it's coming from a legitimate phone number in your area code. This can be particularly convincing because people trust caller ID.
A vishing call recently manipulated employees at a Minnesota Burger King into smashing all of the glass windows at their store. The caller impersonated the local fire department, telling the manager that "the restaurant was pressurized and could explode, so the employees needed to break the windows to relieve the pressure."
Luckily, no one was seriously injured in this attack. While the destruction of property is no laughing matter, the Burger King vishing attack is relatively juvenile when compared with the lasting damage inflicted by more deliberately destructive vishing attacks that aim to steal corporate intellectual property and personal financial information.
These more damaging attacks don't require any additional time or skills to execute. Watch as this vishing expert gains access to a target account in under two minutes.
4 Tips to Prevent Vishing
Be aware of caller ID spoofing. Caller ID creates a false sense of security, and we tend to trust that the name displayed on the caller ID accurately represents the caller. However, just because your caller ID shows the name of a trusted organization, this doesn't always mean the caller is actually from said organization. Voice over IP technology has made call spoofing extremely easy today and commercial services like SpoofCard actually make a living enabling easy caller ID spoofing.
Slow down, think before you act. It's human nature to trust the individuals that you interact with. It goes against our natural instincts to stop and think "my caller ID says this is my bank, the caller knows details about me and says they're from my bank...maybe this isn't my bank?" However, that's precisely what you should do. If you're in doubt about the legitimacy of a call, hang up, look up the phone number of the organization you thought you were talking to, and call them directly.
Report your suspicions. Let your cell phone carrier know about suspicious callers and report vishing attempts to ftc.gov. Providing these organizations with the names and numbers that appeared on the caller ID as well as the time of the suspect calls can help them to blacklist malicious callers.
Test your organization. Detecting fraud is a challenge for even the most security-conscious organizations. As mentioned before, it's human nature to trust those that we interact with, especially in the workplace. Testing your employees with social engineering bait will keep fraud detection and prevention on their mind and help you identify employees who are highly susceptible to scams and train them further.
Originally published on 03/17/2019
Topic: Social Engineering