Cybercriminals are always looking for new ways to scam users. Attacks continue to be more sophisticated and common. Organizations must remain vigilant and understand all the different avenues, including vishing (voice phishing), which uses the telephone as the channel for scamming.
This post will define what vishing is and critical steps to take to protect your employees from falling prey to it.
What is Vishing?
Vishing is a cybercrime that uses voice communication, most often VoIP (voice over IP) phone systems. Cybercriminals use social engineering tactics to attempt to defraud the person on the other end.
In many cases, these scammers impersonate the government, the IRS, a bank agent, the police, or another trustworthy organization. The content of the call is typically a threat of arrest, bank account closure, or other serious consequences.
Unfortunately, many fall victim to it, giving in to the demands of the scammer. They may release private information, such as banking accounts, Social Security numbers, or other sensitive data.
What’s the State of Vishing?
Vishing grew tremendously in 2020, somewhat as a consequence of remote work. The FBI (Federal Bureau of Investigation) and CISA (Cybersecurity and Infrastructure Security Agency) released a joint advisory on the surge.
They noted that in mid-July, a vishing campaign targeted various companies through VPN login pages. Actors created phishing pages for the internal VPN login page. They then created employee dossiers with social engineering tactics. The hackers often posed as another employee using spoofed numbers. They advised victims of a new VPN page, which they would send to the targeted employee. When the victim used the fake VPN page, the hacker could gain access to the company’s networks.
The combination of VPNs and the elimination of in-person verification made these attacks fruitful for many.
One example was the Twitter breach in July 2020. Hackers were able to hijack 130 accounts of prominent figures. The company admitted that social engineering and phone spear-phishing were the cause.
There are several ways that cybercriminals can execute vishing.
- VoIP: Creating fake numbers is easy for hackers. That can appear to be local or use the 1-800 prefix.
- Wardialing: This approach uses software to call specific area codes and leave an urgent voicemail claiming that some security issue occurred. In the voicemail, they ask the victim to call back with account information.
- Caller ID Spoofing: This is similar to VoIP vishing. Cybercriminals use a fake number or caller ID. It could appear as unknown or as a legitimate number, such as the phone number of a trusted government organization.
These represent the more technologically forward tactics. However, there’s a low-tech way for hackers to get information—from your trash. They can collect vital information if documents aren’t shredded or properly destroyed.
Now that we’ve covered the background of the topic, let’s discuss prevention
Ways to Protect Against Vishing Attacks
There are many ways to protect against cybercriminals that use these tactics. They fall into a few buckets of awareness, technology, and best practices.
Ensure Every Employee Is Aware and Trained
Employees are often the weak link in a cyber breach. Vishing is just one more way to isolate them. The best thing you can do is to create a continuous campaign of awareness around cyberattacks. It should be part of your wide-ranging cybersecurity education. Here are some ideas for implementing and maintaining such a campaign:
- Every new employee should undergo training.
- All employees should have at least yearly training if not more.
- IT teams should work with marketing or HR to deliver bite-sized security content. You could distribute this via internal newsletters, intranet sites, or visually with signs and posters.
- If employees receive a suspicious call, they should have a process to report it to security leaders.
- Companies should issue advisories to employees about specific scams going on right now, so they’ll be more alert (i.e., scams related to COVID-19 or the IRS around tax time).
Use Technology to Prevent Calls
Most organizations employ cloud-based phone systems. Often these platforms have built-in spam caller protection. That’s a good first defense. The technology can detect calls from fraudsters. You then have the chance to either block them or send them to voicemail, so they never get answered.
Further, phone systems today are often part of a unified communications (UC) platform. There are various security features you’ll want the system to have to protect it from hackers. Having these features in place will mitigate any attack if the hacker successfully gets information from the employee.
- Advanced firewall systems that prevent intrusions and integrate with VPNs and traffic management
- Intrusion protection systems (IPS) for detecting traffic that appears suspicious that made it through the firewall
- DDoS (Distributed Denial of Service) protection
- Commercial-grade edge routers, which are configured to resist IP-based network attacks
Regular vulnerability scans
Other Best Practices to Protect Against Vishing
There are several other practices to put into place to keep vishing attacks at bay. The use of mobile apps via your UC platform will keep calls routing through your company’s VoIP. Calls won’t come directly to your smartphone number.
You can also let employees know, especially those working in contact centers, that it’s okay to hang up the phone. If an employee can quickly define the call as vishing, the best thing to do is end the call.
Finally, be sure you have strict security protocols about exchanging information, especially around accounts or wires. With this as part of your bedrock, employees won’t fall for scams.