What is Vishing?

By
3 Minutes Read

By Eddy Berry, Security Research Analyst, TraceSecurity

Social engineering is continuing to evolve every day. With the advancements of technology and the use of artificial intelligence, cyberattacks like vishing are becoming more difficult to distinguish between real and fake. Bad actors have always pretended to be other people, but with the help of AI, they can even clone voices and impersonate real people, especially if they do public speaking and events.

However, with the use of information that is publicly available, bad actors don’t even need to clone voices in order to get into a network. Any employees that don’t have any security awareness can easily be fooled by these scammers. Some of them will pose as IT professionals or fellow employees, asking the employee to go to specific websites for “check-ups” or for password resets.

What is Vishing?

Vishing is a social engineering method that uses voice calls or voicemails to try to get sensitive information or to get access to the business’s network. It falls under the type of “phishing,” which is a similar attack in the form of email. Phone calls are still used in many businesses today, so it remains an effective method to get through network protocols.

Many businesses retain third-party firms for things like IT and repair services, and many bad actors are able to assume these roles. Gathering information on the Internet, like from previous cyberattack incidents or directories, they will assume the identity of one of these people and try to get information from an employee. This can range from login credentials like passwords, to simply getting a schedule of someone who might work there.

It’s never a good idea to give this information out to anyone without verification, especially if they are insistent. They will attempt to rush you through a conversation, possibly resorting to yelling or shouting. This sort of intimidation is common across scamming. Sometimes, it is successful, and it can cause a huge disruption of service and loss of money and trust among consumers.

Vishing With AI

One of the rising issues with this type of social engineering is artificial intelligence. These AI functions are getting so advanced that a bad actor can feed a voice into one of these models and it will create a voice that sounds very similar. This is relatively simple to do, especially if the voice is taken from a phone call or public interview.

The use of AI is becoming more and more widespread, so it’s more important than ever to verify who is on the other line. Even if they say who they are, they could be someone impersonating someone else. This is where many cyberattacks succeed – if no verification is made, then it is easy for a scammer or hacker to obtain even more information.

Defend Against Vishing

Vishing can easily be stopped by a few checks and verifications. It is important to remember security awareness, making sure to verify the caller with specific checks like employee IDs, databases, and other tools at your discretion. Even if it’s a matter of putting the caller on hold to call someone else, it’s a crucial check that needs to be done with any “official” call.

It’s important to remember that no employee or business will call you for login credentials, especially passwords. They will never call for you to download something without supplying a notice for the company or some various information that would have been passed on from the IT department. Regardless of who is calling, verifying is important.

It is also important to keep in mind your company’s policies and procedures. These are in place for a reason, so if someone is calling you, you should be following these guidelines. If you aren’t familiar or don’t remember these procedures, it’s crucial to read them over and keep them in mind. They may seem like a long-winded process, but they’re there to keep you and the business safe.

Vishing is a type of social engineering attack that uses a voice call or phone call to get sensitive information from their victim. With it, they will try to impersonate someone, which is usually a fellow employee, an IT professional, or even a high-ranking executive. The most common form is either an IT person checking on an employee’s access or a contractor who needs to get information for a repair job.

Regardless of what someone is calling for, security awareness should always be on the top of your mind. If something seems weird, it probably is. Always verify who the other person is, especially if they’re pushing to get something done quickly. They may seem nonchalant about it, but no matter what the response is, always check who is calling. If you can’t verify who it is, either stop talking to them or contact your IT professional.

Vishing is becoming more complicated every day. With AI and other impersonations growing complex, it can be difficult to determine what is real and what is fake. Either way, always follow your business’s policies and procedures. It may seem troublesome, but it’s a necessity for security.

Connect with TraceSecurity to learn more.
Picture of TraceSecurity

TraceSecurity

TraceSecurity has provided over 30,000 examiner approved reports, helping credit unions of all sizes maintain compliance year after year. A CUNA Strategic Services provider since 2006, TraceSecurity helps credit unions with a range of cybersecurity services, including risk assessments, penetration testing and IT audits. With a combination of software and services, TraceSecurity can help credit unions manage their information security program and supplement it with third-party validation.

Author

Recommended For You