No, we didn’t make a mistake. It is actually about the so-called “vishing”. Vishing is a special form of phishing. It is made up of voice and phishing. Just like the traditional phishing method, private, sensitive, or confidential information is extracted from a person by pretending false facts. In contrast to phishing, however, the affected person is not contacted by e-mail, but by telephone.

In recent months, the number of cyberattacks has increased significantly and cybercriminals are increasingly relying on vishing. The reason for this is that companies and their employees have recognized the danger posed by conventional phishing attacks and thus by e-mails or fake websites and have integrated important prevention measures and training into their everyday work. The cybercriminals will have to come up with new methods to elicit sensitive information from their victims.

What is the danger?

The so-called “Vishers” are extremely intelligent in their attacks. They take advantage of situations that seem normal and harmless to humans. Calls from private or suppressed numbers as well as calls from a call center or customer hotline are almost part of the daily routine. How many times did you have to mention your birthday, address, or simply your name to match dates? Even though these calls are often harmless, the everyday handling of phone calls of this kind ensures that vishers often have an easy time getting hold of very confidential information.

How do the cybercriminals go about it?

Cybercriminals slip into different roles. The Sparkasse is currently warning of vishing incidents. Here, the fraudsters pretend to be employees of the savings bank and ask their victims to announce their card number, telephone number or TANs, which they receive on their mobile phones during the phone call. If you ever get into such a situation, break off the call and hang up immediately. No reputable bank will ask you for your card or TAN numbers by phone.

Or imagine the following situation: The phone rings and an IT professional is on the other end of the line and tells you that your computer is infected with a virus. It is now very important to react quickly to prevent the virus from paralyzing the entire company network. The IT expert would like to carry out remote maintenance with you in order to install the required diagnostic software on your computer and thus be able to solve the problem. However, he needs your password for this.

Similar to traditional phishing, the perpetrators play on the emotions of their victims by manipulating the situations in their favor. First, trust is built. This trust is created by the fact that the perpetrator appears in a role whose authority is often not questioned, e.g. that of a police officer, a bank employee or an IT expert. If the trust created is not enough to get the desired information, the victims are put under pressure by triggering fear and panic in them. This encourages the affected persons to act rashly and hastily.

What can you do to protect yourself from vishing?

A healthy amount of mistrust is never wrong. Question the caller, no matter how official the place they are calling from may be. Vishing perpetrators try everything to lull you into a sense of security and get confidential information from you along the way. Protect yourself by contacting another person who can confirm the case or concern to you. Prevention is better than cure! In general, however, the following applies: Never share confidential information such as account details, PINs or passwords on the phone.

What is the right thing to do if you have passed on sensitive information?

If you do fall for a vishing attack, you should act quickly but carefully. Acting hastily can cause further damage. Tell your IT department immediately what information you’ve shared. If you have passed on passwords, change them immediately. If you use one of the issued passwords for several programs or applications, change the password for these services as well. It is important that you do not use this compromised password in the future

If you have any questions about passwords, Perseus can help. Read detailed articles about password security and the password manager here.