Vishing is a special form of phishing. Here too, the aim is to trick people into disclosing sensitive or confidential information. In contrast to the “conventional” phishing attack, in which victims are contacted by email, contact is made by telephone. Hence the name “vishing”. Here, the English term for voice and phishing are combined.
Like other phishing methods, vishing is also a form of social engineering. It also appeals to the target’s emotions – both positive and negative. Emotions such as fear, doubt, curiosity and shame are specifically addressed in order to get people to act in the interests of the attackers.
The direct contact that results from the telephone conversation can exacerbate the feelings of those affected just mentioned. In direct confrontation, people are even less confident about contradicting the other person or not complying with requests. They are also less able to rely on their own gut feeling, so that actions are carried out rashly.
Another reason why vishing can be very lucrative for cyber criminals is that a human voice is more likely to be believed than a digital email from an unknown sender. The awareness that employees can also be tricked over the phone is not yet widespread in some cases.
Vishing attacks can affect any company. Even if – unlike conventional phishing attacks – they are not spread on a large scale, threat actors are increasingly using the telephone to contact their potential victims directly. The following motivations are at the forefront.
You or one of your employees is called by cyber criminals – often under a very trivial pretext. For example, the attacker may pretend to be an employee of a well-known organization (e.g. a bank), call on behalf of a supplier or want to sell something to your company. The questions are cleverly placed during the conversation so that the interlocutor provides information without hesitation or suspicion. The answers can then be used by the attacker to carry out spear phishing attacks or CEO fraud attacks.
Vishing also occurs when employees call a fake telephone number and unsuspectingly contact cyber criminals. Imagine you have a computer problem and are looking for a service provider who can help you with the problem. You land on a homepage and dial the number given there. Unfortunately, it is not the support you were hoping for that answers at the other end of the service, but an offender. You are offered solutions for a fee. You may have to pay this directly. However, you will not receive the service you were hoping for.
The next example is very direct. The attacker contacts you or one of your employees by phone and asks them to take specific actions. For example, they may ask you to pass on certain information, such as login details for an online service. Or a specific action may be requested, such as the transfer of a sum of money and the payment of an allegedly outstanding invoice. If the person hesitates, pressure is exerted on them or they are lured with positive offers (special prices, better conditions).
Nowadays, it is difficult to recognize phishing attacks. Cyber criminals are also evolving and becoming more professional in their attacks. This also applies to vishing attacks. Employees need to be vigilant in order to recognize vishing attacks. For new contacts with whom you have had no previous contact, it is advisable to carry out a brief internet search to confirm details. Does the company named exist? Does the address given exist? Can you find the person who contacted you? If the person you are talking to is referring to a colleague of yours, briefly ask the person in question whether the situation or exchange actually took place. A certain basic skepticism should also prevail during the conversation. Do not answer any questions that seem too confidential or detailed. No reputable company will ask you for passwords, tan numbers, personnel numbers, etc.
In order to combat vishing attacks and avoid them in the long term, it is advisable to raise employee awareness. Through intensive training, you can make your employees aware of the dangers and sensitize them to the attack methods. This can be done either through training videos or through a workshop in which vishing calls are illustrated and employees can practise how to deal with this type of attack.
