In our last blog post, we learned that phishing is an old technique that comes to you in many different forms. We are all at risk of falling victim to this form of attack. Designed to steal your personal and/or financial information or gather information. Threat actors send you malicious emails, oftentimes with urgent matters, instructing you to click a link that sends you to a fake website or requests you download a dangerous application. Safeguards can be taken to avoid becoming violated. Here, in part two of our multi-series blog, “An Understandable Guide to the World of Phishing,” I want to take my time to explain how vishing works and how to avoid becoming a victim of this form of phishing attack.
Because let’s face it we expect everyone to be honest. Right?!
Vishing- Phishing by Voice
Vishing is performed over the phone using a voice call. This can occur over a landline, cellular, a Voice over Internet Protocol (VoIP) system (calls over the internet), or by voicemail. Threat actors may “bait” you by creating a sense of emergency or making unrealistic promises to appeal to your sense of curiosity or emotion.
Once they have your attention, they then use your emotion to trick you into giving up your confidential information to them over the phone. Threat actors often provide limited details about your accounts such as your email address or phone number. While they “phish” for the rest of the details. In this way, vishing is a social engineering attack, attackers use your emotions to coerce you into doing something you would not otherwise do.
How Vishing Works
Oftentimes, unsolicited, threat actors posing as your financial institution or government agencies, use voice calls or voicemails to convince you to give them your personal identifying information, such as your banking information, your credit card numbers, even your two-factor code into your financial accounts.
You are tired, it has been a long day at work! Maybe you are on your way to an important appointment, or the dog has been barking ALL NIGHT, the phone rings it is your financial institution’s “FRAUD DEPARTMENT!!”
The caller ID shows a toll-free number. Which is to be expected, right? The caller on the other end says, “There is unauthorized activity on your account.” She provides you with the email address you used for that account, and they have your phone number, right? They called!
The caller informs you that everything is going to be fine! Their “Fraud Department” has caught it early! All they need to do is verify your account with a verification code sent to your phone. She asks, “Is your cell phone handy??” to which your reply: “Yes, you called it” The caller sends a verification code to your phone and asks you to provide that code to them IMMEDIATELY!
You provide the code to the caller, thinking WHEWW, I dodged a bullet there! BUT now your email is going off from your financial institution saying you have requested a password change!? At this time, you decide to go to your financial institutions login page to log into your account, and you can no longer log into your account!!! Try again, the error tells you that your username or password is incorrect.
You have been Vished!
This caller was not from your financial institution; it was a threat actor using Vishing to steal your financial account. They create a sense of urgency in the call “unauthorized activity on your account” to use your emotions to get you to respond at once! Provided your email address and even your phone number. Your trust was gained, and you let your guard down. Vishing is a form of phishing that uses voice calls and your emotions to trick you into providing account information or, in this case, access to the account.
Now that we know how vishing works, let’s investigate how you can avoid becoming a victim of this tactic.
How to Avoid Becoming a Victim
Everyone is in danger of falling victim to this form of attack! There are some things to investigate, I am going to start with the call, the call came from a toll-free number, which seemed to be legitimate, ALWAYS verify the number! Look it up on the internet or in your phone book. If you cannot verify the number, hang up the phone!
Threat actors usually use an “urgent department” with “urgent matters” to “bait” you. ALWAYS be on guard when anyone calls with urgent matters that need to be acted on NOW! They also use calming tactics, such as “everything will be fine,” to gain your trust.
So, while on guard, be careful not to allow them to phish (is your cellphone handy?) any more information from you! Never give up any details over the phone, especially if you have not verified the number!
In conclusion, while phishing is delivered via email, Vishing is delivered to you either by voice call or voicemail. Vishing looks a little different. Meanwhile, the attacker’s goal is still the same! Designed to “trick” you into supplying your personal/financial information or to gain access to your accounts. Threat actors use your emotions, “social engineering,” to steal and gain control of usually your financial accounts. Do not be a victim of vishing! Always verify the number. If you have not verified the number, hang up! Be on guard when receiving unsolicited calls from urgent departments with urgent matters at hand! Never provide details over the phone!
Become a victim of a vishing attack? We can help!