As cybersecurity becomes more mainstream, hackers continue to find new, unique ways to break through the cracks. Social engineering is commonly used to exploit these vulnerabilities, often via email attacks called Phishing. But the phone version of Phishing—Vishing, or Voice Phishing—might have even more damning consequences.
“Most people think Vishing means you’ll pretend to be from IT or IRS and try to get my password or credit card info,” explained Chris Silvers, Onepath’s trusted security consultant. “However, Vishing from a professional standpoint is truly just getting information or getting the target to do something that might not be in the company’s best interest. People don’t really think of Vishing at work—they think of scam calls at home. So, people have trouble translating Vishing in terms of what an attacker would want from the place they work.”
What does Vishing Entail?
Cybercriminals have many motivations for attacking your workplace, and Vishing allows them to obtain the information they need in order to exploit your company. These types of attacks range in sophistication, from obvious robocalls to targeted, personal attacks. At DEF CON 2018, Silvers gave a talk titled, “On the Hunt,” in which he covered an especially nefarious type of Vishing. This attack involved a hacker leveraging three-way calls in order to confuse employees, who would then provide the hacker with confidential information.
“Imagine you’re working at a call center for a company and doing support, and the phone rings,” said Silvers. “You’re logged into a Hunt group, which is a 1-800 support call. You answer the phone and are connected to another service rep at your company; you both think it’s a glitch in the system. But if the hacker keeps [connecting people via three-way calls], the same people will be getting the same call, and it becomes a topic of discussion. The hacker can then pretend to be one of those customer service reps, join in on the next phone call, and start steering the conversation. The employees will start leaking sensitive information because they think they’re just talking to each other and no one’s listening.”
Attacks like these require planning, patience, and intelligence. However, the difficulty of pulling off these attacks doesn’t make them rare; in fact, vishing attempts via robocalls make up nearly 900 million calls a month. Globally, these attacks cost companies approximately $46.3 billion a year, and if companies remain in the dark about Vishing, that number will only continue to rise.
In order to combat Vishing, Silvers recommends awareness, training, testing, reporting, and analysis. Through these tools, companies will have a better understanding of threats and be better able to stop them. Because cyberattacks are constantly evolving, Silvers recommends utilizing these tools often. And once a company finds a security weakness, it’s incumbent upon them to fix that weakness.
”That’s the last step in the loop,” said Silvers. “Once you go through some awareness training and testing, you take the results of that to improve the program for the next cycle. There’s not a lot of technical controls you can place on these things. People need to do their job and have their access to systems. By giving them that access, there’s a certain amount of risk. So, the real solution here is education.”
In order to better educate yourself about cybersecurity risks, take a look at our Master List of Cybersecurity Articles. And if you want to test how vulnerable your company is to Vishing and other attacks, click here to take our cybersecurity self-assessment.