What Is Vishing?
Your phone rings. It’s a colleague who’s working from home. You know it’s him because he teases you about a football game you just posted about on Facebook. He says he forgot his network login and password. Can he use yours? You feel a slight twinge of worry, but you give him your credentials anyway. You should be worried. You were just the subject of a vishing attack.
Vishing is a play on words, a contraction of “voice” and “phishing.” It refers to a mode of attack that involves the use of phone systems to “phish” for personal or proprietary information. Once the attacker has convinced you to share your information, he can steal your identity, access confidential information, and more. He can even hold your valuable data for ransom.
Vishing vs. Phishing vs. Smishing
How is vishing different from phishing and smishing? It’s worth taking a minute to explain each threat.
Phishing
Phishing got its odd name from a reference to the “phone phreaks,” the original hackers of the 1960s, who were experts in tricking the phone company into giving them free long-distance calls. A phishing attacker is “fishing” for your information. The process typically starts with an email purporting to be from a friend or colleague. Or the attacker poses as an employee of a company, like your internet service provider. Their goal is to get you to divulge sensitive information, such as your Social Security number or login credentials. Spear phishing is a more advanced form of the threat. It involves the attacker researching you online to learn things about you that only a friend would know.
Vishing
Vishing is the voice version of a phishing attack. The attacker calls the target and tries to extract valuable information. Some victims are corporate employees, but often, they are elderly people or adults who lack the savvy to understand what’s going on. For example, an attacker may call and claim there’s a problem with your computer that they can fix — and then ask for bank account and credit information to “pay for the service.”
Smishing
Smishing refers to a phishing attack executed through SMS text messages or comparable mobile messaging services. The attacker sends a text message, often friendly, and encourages the target to respond with personal information. The attack may start with, “Hi, how are you doing?” but then escalate to “I need help. Can you send money to my CashApp?”
How to Recognize Vishing
It can be difficult to recognize a vishing attack, but a few telltale signs often present themselves if you know what to listen for. In most cases, there’s an urgency to the call. The caller also needs you to take some sort of action — like logging them into a system or giving them a credit card number. Think about this example for a minute, “I need the password now! The boss is mad at me. Please!”
Any type of immediate request especially if it involves sharing login credentials, credit card information, or even wiring money should be internally flagged as a potential vishing attack. And when in doubt – if something makes you pause and concerned – take a step back and validate the request through known communication channels.
What You Can Do to Protect Yourself From Vishing
Vishing and smishing are effective modes of attack because they get around an increasingly powerful array of countermeasures that prevent phishing attacks. Email security software is now able to identify, filter out, and remove many phishing attacks. Few such controls exist for voice calls and text messages. That makes risk mitigation challenging but not impossible.
The best approach is to invest in security awareness training. This helps employees learn how to identify and respond to common hacker tactics in a vishing attack. TPx can help. Our programs help improve your security posture so you can stay ahead of hackers.
Contact us today to start implementing industry-leading security solutions.