Vishing is a special form of phishing. Here, too, the aim is to get people to disclose sensitive or confidential information. Unlike the “conventional” phishing attack, in which victims are contacted by e-mail, contact is made by telephone. Hence the name “vishing”. Here, the English word “voice” and “phishing” are combined.
Like other phishing methods, vishing is also a form of social engineering. Here, too, the target person’s emotions are targeted – both in a positive and negative sense. Emotions such as fear, doubt, curiosity, and shame are specifically addressed in order to get people to act in the attackers’ interests.
Why is vishing particularly dangerous?
The direct contact that results from the telephone conversation can further intensify the feelings of the victims just mentioned. In direct confrontation, people dare even less to contradict the other person or not to comply with requests. They are also less able to rely on their own gut feeling, so actions are carried out rashly.
Another reason why vishing can be very lucrative for cybercriminals is that a human voice is more likely to be believed than a digital email from an unknown sender. The awareness that employees can also be tricked via the telephone is not yet widespread in some cases.
Where do I encounter vishing in everyday life?
Vishing attacks can hit any company. Even though – unlike conventional phishing attacks – they are not spread randomly and are therefore not carried out on a large scale, threat actors are increasingly picking up the phone to contact their potential victims directly. The following motivations are at the forefront.
Possible motive number 1 – tapping information
You or one of your employees is called by cybercriminals – often under a very trivial pretext. For example, the attacker may pose as an employee of a well-known organization (such as a bank), call on behalf of a supplier, or want to sell something to your company. The questions are cleverly placed in the conversation so that the conversation partner gives information without hesitation or suspicion. The answers can then be used by the attacker to carry out spear phishing attacks or CEO fraud attacks.
Possible motive number 2 – manipulation on the phone
We also speak of vishing when employees call a fake phone number and thus unsuspectingly contact cybercriminals. Imagine you have a computer problem and are looking for a service provider who can help you with the problem. You land on a homepage and dial the number listed there. Unfortunately, at the other end of the service, it is not the support you were hoping for, but an offender. Here, you are offered solutions against payment. You may have to pay them directly. However, you do not get the hoped-for service afterwards.
Possible motive number 3 – Concrete calls to action.
The next example is very direct. The attacker contacts you or one of your employees by phone and asks him or her to take specific actions. For example, they may demand to share certain information, such as login credentials to an online service. Or a specific activity may be demanded, such as transferring a sum of money and paying an allegedly outstanding bill. If the person hesitates, pressure is put on them or they are lured with positive offers (special prices, better conditions).
How to detect vishing?
Nowadays, it is difficult to detect phishing attacks. Cybercriminals are also evolving and becoming more professional in their attacks. This is also true for vishing attacks. To detect vishing attacks, employees need to be vigilant. For example does it make sense to do a quick internet research for new contacts that you have not had contact with before to confirm the information. Does the company named exist? Does the address given exist? Can you find the person who contacted you? If your conversation partner refers to colleagues of yours, briefly check with the person in question if necessary to confirm whether the situation or exchange actually happened. A certain basic skepticism should always exist. Do not answer any questions that seem too confidential or detailed. No reputable company will ask you for passwords, tan numbers, personnel numbers, etc.
How can employees protect themselves?
To combat vishing attacks and prevent them in the long term, it is advisable to raise employee awareness. Through intensive training, you can make your employees aware of the dangers and sensitize them to the attack methods. This can be done either through training videos or through a workshop in which vishing calls are illustrated and employees can train how to deal with this type of attack.