Once viewed as a security threat that only affected individuals, vishing is now increasingly recognised as a threat to businesses.
In this blog, we outline what vishing is, the key signs of an attack to look out for and how to defend your organisation.
What is vishing?
Vishing, a term created by combining the words ‘voice’ and ‘phishing’, is a form of social engineering which uses phone calls, voice-altering software and other methods to defraud people into sharing valuable personal information such as passwords and bank account details for financial gain.
Vishing is a form of phishing and shares similar goals. However, instead of a malicious email, victims may receive a phone call purporting to be from their bank or other organisation they trust. Whether it is a real person or a chat bot making contact, the aim is to build a rapport with the victim to encourage or coerce them into sharing sensitive information.
A significant threat to businesses
One of the most high profile cases of vishing to date is the attack on a large tech company which took place in July 2021. The vishers successfully presented themselves as technical support staff in order to gain access to key internal systems and accounts for high profile figures. They then shared Bitcoin scams from the accounts and defrauded people of more than £80,000 in cryptocurrency.
In 2020, a complex vishing attack led to a significant amount of money stolen from the customers of a large telecoms provider. The attack was initiated by criminals who first called the company posing as customers needing to change their mobile phone provider. It is thought that this is how they gained valid AT&T employee IDs which enabled them to change passwords, gain access to financial information and move money into their accounts.
Vishing presents such a serious threat to businesses that, in January 2022, the FBI issued renewed warnings about this type of fraud, following on from their joint advisory with CISA in August 2020. The FBI has warned that vishing it is most likely to be used to steal privileged credentials in the business context. The shift has been driven by the increase in remote working as a result of the COVID-19 pandemic. Employees now have valuable company information on their laptops and mobile phones, as well as remote access to additional company resources.
Key indicators of a vishing attack
Be vigilant about the caller creating a sense of pressure, either due to the time sensitive nature of an issue or the apparent need to solve a serious and urgent “problem”.
Requests for personal information
Any type of request for personal information should be viewed with caution, particularly when it is made out of the blue. It can be very difficult to ascertain whether this type of request is legitimate or part of a vishing scam.
Access to computers
Another sign of a vishing attack is that the caller may also state they need to establish remote access to your computer.
Claims about representing banks, HMRC or government bodies
The claim to be or appearance of being a legitimate organisation is a big part of the emotional lure of a vishing attack. It takes advantage of the trust that people have in familiar organisations. Legitimate companies do not usually ask for sensitive information to be shared over the phone or via email, particularly not in its entirety.
How to defend your organisation against vishing
Provide training and awareness sessions to all employees
All employees should receive regular security training. As well as key issues such as password and device management, this should also cover vishing and phishing. Staff should also be advised to be vigilant about the level of information they share on their social media profiles.
Adopt a policy of least privilege
The principle and practice of least privilege access is an important aspect of defending against many types of threats, including vishing. Ensure that your employees and any third parties with access to your organisation’s network only ever receive the rights to access the systems, applications and data required they need to perform their job. It is also important to undertake regular checks to ensure that privileges are in line with role changes and that access is removed for employees leaving the company.
Adopt technical controls
Technical controls are essential in helping to protect employees and organisations from vishing threats. Standard security controls include web filters, antivirus software and endpoint detection and response solutions.
Use multi-factor authentication
Another important step in defending against vishing attacks is to enforce multi-factor authentication (MFA) across all user accounts. Because MFA requires users to provide an additional layer of authentication, it prevents attackers from gaining access to the associated account in the event of a password being compromised.
How Kroll can help
As a leading provider of end-to-end cyber risk management services, Kroll is well placed to help your organisation minimise and mitigate the risks of vishing and other forms of social engineering. Whatever your security challenges, our global team of experts are here to help.