What is a Vishing Attack, How Do You Defend Against It?
Adrien Gendre
—January 05, 2023
—4 min read
Big companies like Cisco and Twilio have grabbed headlines after recently falling victim to a vishing attack, but these cyber threats can affect any business if left unchecked. Fortunately, as vishing attacks have become more prevalent, organizations have evolved their cybersecurity measures and training to address this emerging threat.
In this article, you learn about the basics of vishing, the difference between vishing vs. phishing, and most importantly, how your organization can ensure these attacks are identified and avoided at all costs.
What is a vishing attack?
A vishing attack is a form of phishing that uses phone calls as the attack vector. During a vishing attack, threat actors call the victim and pose as representatives from an organization, often a financial or government institution. Scammers then use social engineering tactics to get victims to take action over the phone, such as divulging account credentials or financial information.
The recent rise in vishing attacks
In May 2022, Cisco fell victim to an intricate vishing attack that resulted in internal data being published on the dark web. A scammer, impersonating a representative of multiple organizations, executed voice phishing attacks to fool a Cisco employee into authorizing MFA requests on their device. This enabled the scammer to access sensitive Cisco information and leak them on the dark web.
The recent Cisco vishing attack is just one of several high-profile examples. With the global pandemic leading to a rise in at-home workforces, employees are seeing the line blur between their professional and personal lives. In turn, filtering out distractions and catching nefarious links and messages has become more challenging for the average worker. This has created the ideal situation for threat actors to utilize social engineering. With cybersecurity measures unable to secure the networks of every end user, IT staff are limited in their ability to effectively mitigate vishing attacks.
Businesses should be proactive in their user awareness training to ensure employees are practicing good cyber hygiene, in addition to knowing the warning signs of a potential vishing attempt.
What's the difference between vishing and phishing?
Vishing is a form of phishing, a threat that attempts to socially engineer a user by impersonating a well-known, trusted brand. Phishing and vishing attacks use many of the same techniques, such as creating a sense of urgency, to entice victims into taking a compromising action. Ultimately, both threats work to accomplish the same objective: gain control of information or accounts for nefarious purposes. Like phishing, vishing attacks have also resulted in serious financial losses for many organizations.
While both cyberattacks lean on social engineering tactics to lull their victims into a false sense of security, the main difference between phishing and vishing attacks is their vector. Phishing attacks weaponize email to exploit users, while vishing attacks are carried out by phone. However, threat actors may also use both types of attacks in tandem to exploit victims.
An example of this is BazaCall, a cyberattack that begins with a phishing email that encourages users to call a phone number controlled by threat actors. If victims call the number, the vishing attack commences with the aim of getting the victim to download malware. Data suggests that these hybrid attacks are among the most detrimental to organizations, with phishing attempts being 3x more effective when paired with a phone call.
You can think of phishing and vishing as falling under the larger social engineering umbrella. Both are among the most common—and successful—threats that rely on social engineering.
Common ways vishing attacks are carried out
While some of us may already be familiar with the more prevalent types of attacks, other forms of vishing may be unfamiliar to you. Let’s cover some of the more common ways vishing attacks are carried out so you know how to spot them going forward.
The Voice over Internet Protocol (VoIP) attack
The global pandemic led to a rise in Voice over Internet Protocol, or VoIP, technologies, which enable users to make phone calls over the Internet. Naturally, the advent of internet-based calls created ideal conditions for threat actors to carry out vishing attacks. Able to create a custom phone number that closely matches a legitimate, trusted number on the user’s end, threat actors can easily target users of VoIP systems.
Once a user answers, the threat actor will use vishing social engineering tactics to convince them to hand over login credentials, verify themselves on a malicious website, or reveal sensitive company information. VoIP attacks will often impersonate representatives from government agencies or law enforcement—two entities that in most contexts command attention, trust, and swift action.
The bank scam
In this type of vishing attack, a threat actor will impersonate someone from a bank and inform the victim that there’s an issue with their account. The hacker might say funds must be transferred to a different account or login credentials are needed to rectify the issue. Ultimately, the threat actor’s goal is to convince the victim to wire the money to a fraudulent account or gain direct access to the account.
The “too good to be true” offer
Many of us have been on the receiving end of this “too good to be true” offer. Whether it’s a threat actor promoting the chance to unload all your student debt or get a sizable check from social security, these unsolicited offers are meant to entice users into taking immediate action. To take advantage of the offer, threat actors will often request that victims pay a nominal fee or divulge sensitive information. Once victims comply, they quickly learn the nefarious intent behind the threat actor’s offer.
4 steps for protecting yourself
Vishing attacks are becoming more prevalent and complex. Nearly 70 percent of organizations globally reported encountering a vishing attack in 2021, a 54 percent increase from 2020. Despite the growing threat, your organization can defend against vishing attacks. Here are actions your organization can take to avoid exploitation by this form of attack.
Educate your employees
The best prevention against vishing attacks is to provide your employees with a thorough education, including how to identify the common signs of a vishing attack and appropriately respond. With the right user awareness training in place, you can strengthen the greatest weakness in your cybersecurity posture and limit the likelihood of a successful attack.
Opt out of telemarketing calls
You can add your number to the National Do Not Call Registry, a system used by the Federal Trade Commission to alert telemarketers of the phone numbers that shouldn’t call. Opting out of telemarketing calls doesn’t prevent vishing attacks, but it can help limit their effectiveness. Since threat actors often pose as telemarketers, being on the Do Not Call Registry can make it easier to identify vishing attempts. You can add your number to the registry by either:
- Visiting the FTC Website
- Calling the FTC directly: 1-888-382-1222
Report suspicious numbers
Another preventative measure is to encourage your employees to report suspicious calls, which enables you to add them to your current list of blocked numbers. Blocking unwanted calls can prevent vishing attacks from reaching employees, the greatest vulnerability in your cybersecurity.
Adopt AI-threat detection and response solutions
While multiple solutions afford you protection against an initial vishing attack, your organization also needs protection in the event an attack successfully compromises an employee account. Threat actors can use compromised accounts to launch multi-phased cyberattacks, including launching phishing campaigns, sending spear-phishing emails, distributing malware, and more. To prevent further compromise to your organization, you should adopt AI-threat detection and response technology, which protects against the internal threats and insider attacks that often follow an account takeover.