What is Vishing?

Target: Hello

Visher: Hi, this is John, from Microsoft. We received an alert that your computer is infected with a virus. Are you near a computer now?

Vishing is a term used to describe voice elicitation or what’s usually called a scam phone call. Regardless of the pretext (or pretense) for the call, the caller is typically trying to elicit either information or ill gotten gains from the target or recipient of the call. The example above is fairly well known, due to news media and the sharing of scam phone calls by both law enforcement and those who have been targeted in the past via social media. But new types of vishing calls are created daily.

Recent versions of the phone vishing scams include, but are in no way limited to, the below:

  • Internet Service provider requesting immediate payment by way of Gift Card
  • Pizza Delivery representative calling to verify Credit Card information after a declined transaction
  • IT Company calling to request remote access to the target’s computer to Fix a Problem
  • The IRS calling to tell you you owe thousands of dollars in taxes and will be arrested if you don’t pay immediately
  • The Social Security Administration calling to request payment to unlock you Social Security Number
  • The local law enforcement agency calling to discuss payment to avoid arrest on an outstanding warrant

Malicious Actors Do Their Research

What makes vishing so effective is the combination of a few factors that perhaps independently may not force the target to comply. But when combined can become very effective at eliciting the response desired by the malicious hackers or scammers. One key component is information about the target that add credibility to the pretext. Put plainly, information about you that makes you believe the caller is who they say they are. For example:

  • Your name
  • Account number
  • Answers to security questions
  • Pretending to be someone you know/name you recognize
  • Information about your existing order/invoice or past orders/invoice
  • Familial relationship
  • Places you frequent
  • Car you drive
  • Children’s names and ages
  • Schools and Workplaces

Most of this information can be found with what is termed OSINT or Open Source Intelligence gathering. Examples of public sources for information include:

  • Company Websites
  • Online Whitepages
  • Search Engines
  • Social Media Websites

One way to help mitigate the ability of potential attackers to find this type of information about you is to limit sharing of personal information online and to keep social media profiles private. Also talk to family about best practices for sharing online and make sure your efforts aren’t undermined by friends and family.

Other Factors Used by Bad Actors

Several other factors are used to create a believable and effective vishing campaign. Some of the most prevalent include:

  • Spoofing a Number you Recognize
  • Artificial Time Constraints
  • Eliciting an Emotional Response

What can you do to prevent hackers from tricking your brain into reacting emotionally and complying with their request? Anytime someone requests something from you via the phone, whether you are at work or personally, consider the following red flags:

  1. Do not trust Caller ID as number may be spoofed – Offer to call the person back at a number you know and have verified you can trust
  2. Stop and ask yourself if they have put a time constraint on the response that is forcing a decision to be made immediately – Ask the person to delay the deadline and see if they try to force the issue
  3. If you immediately become emotional regarding the request – STOP! Literally DROP the phone and ROLL the request around in your brain for a few seconds

STOP

Stop, before you react impulsively or emotionally

DROP

Drop, the phone from your ear and mentally step out of the callers pretext

ROLL

Roll, the information they have shared with you around in your brain for a few seconds to logically analyze the request and risk

While considering the callers request pick it apart and analyze what they are asking you to do, why they need it completed so quickly and if the threat is serious. If it seems suspicious, it more than likely is suspicious.

tl;dr

Trust, but verify. If you receive a call that seems suspicious, insist on calling them back at the number you know to be trusted either from the official website or one of your mailed invoices.

For more information about how to keep your information and assets safe from vishing, contact us using the form below.

Contact.