Cybercriminals are motivated and creative, which is not a great pairing for their victims. Just when we think we know what to watch out for, there’s something new to worry about. Right now, voicemail phishing (vishing) attacks are on the rise. Find out more about vishing and what you can do about it.
First, a reminder: phishing refers to bad actors sending fraudulent emails. They use social engineering to get you to reveal personal or sensitive information. For example, employees might get an email that looks like it’s from your IT team. It might ask them to renew their access credentials in the next 24 hours, but they need to enter their existing credentials into an online form to make the change.
Vishing also relies on social engineering – it targets our impulse to trust or help – but, vishing does this using voicemail. Cybercriminals use this approach to attack individuals and businesses, and they aim to obtain the information they need to perpetrate further crimes.
How does vishing work?
Cybercriminals prepare in advance to make vishing more convincing. They’ll call from what looks like a local number, and you’ll be more likely to answer. They learn enough about their victim or the organization they claim to be from to appeal to human nature.
A vishing attempt will:
- use urgency to encourage you to act;
- leverage false credibility to convince you they’re legit (e.g. calling from the government, tax department, IT support, or HR);
- employ persuasive language to make you want to help;
- take a threatening tone so that your fear you will be arrested or have your bank accounts shut down to override your suspicions;
- reference current events to tap into your worries (e.g. during the tax season, criminals might spoof tax collection agencies; or during COVID, people were promised testing kits for sharing their bank information).
Avoid falling victim to vishing
Make vishing awareness part of your security training for employees. Communicating how to avoid falling victim can help your business stay safe.
The number-one rule is to never provide or confirm personal information by phone. A bank, hospital, tax office, or the police are not going to call you on the phone to ask for personal details. And they are definitely not going to call and try to motivate you to act urgently.
It is also unlikely that your manager or human resources would call you at home to ask you to transfer funds, provide confidential data, or email documents from your personal account.
Always ask for proof that you can use to verify the caller is who they say they are and works where they claim to. If you’re given a number to call to confirm the caller is legit, look it up. Call on a different phone to check that it’s a real number.
Stay aware of the latest trends. For instance, a new take on vishing sends emails claiming to share links to voicemail messages on LinkedIn- or WhatsApp-type services. If the recipient clicks on the link, they go to a convincing page (complete with CAPTCHA for added legitimacy) where crooks try to capture their access credentials.
This latest iteration of vishing aims to evade your cybersecurity solutions. There’s always something to keep up with. Need help? Our experts can set your business up for network security success. Contact us today at: