Cybercrime in the Form of a Phone Call

So often, when people hear the term cybersecurity, they think of digital attacks against electronic information systems secured by sophisticated software. Though this description is accurate, it isn’t comprehensive. Cybersecurity also includes non-digital elements, such as physical security and human psychology. In fact, one of the most common cyber scams, known as phishing, relies on deception to manipulate people into sharing confidential or personal information through email.

Now, cyber-criminals are leveraging similar tactics to execute vishing attacks.

What is vishing?

Vishing is the act of using deception and manipulation, also referred to as social engineering, over the telephone to gather sensitive, often private, information about a target. The information is then exploited for financial gain. This mode of criminal activity has taken various names in the past, such as voice solicitation, phone fraud, and voice fraud. With the increase in such activity over the past decade and its similarity to email phishing techniques, the new term vishing emerged (a combination of voice and phishing).

Case Study: Boulder Valley School District, Colorado

A nearly $1 million vishing attack against the Boulder Valley School District is an example of how cybercrime crosses from the digital world into the real world. The district hired the Adolfson and Peterson Construction Company to oversee a significant campus upgrade project. In August 2017, the accounts payable department received a call from someone claiming to be an Adolfson and Peterson representative. The caller convinced the department to redirect $850,000 to a bogus bank account created by cybercriminals. Though the theft occurred digitally, the initial attack was launched over the phone using sophisticated social engineering.

How does vishing work?

Vishing scams can use multiple social engineering tactics to convince people to share sensitive information. Each tactic relies on the target believing compliance is in their best interest or the organization’s best interest.

Spoofing

Criminals make it look as though they are calling from a number you are familiar with or a number in your area code, a practice known as spoofing. This may lead you to think the call is coming from an unsaved local contact or colleague’s number. Additionally, criminals can spoof your phone number and call financial institutions or other third parties that you or your organization do business with and try to obtain sensitive information.

Masquerading

After you answer the phone, attackers pretend to be a trusted representative from a technical support desk, contractor, financial institution, internet/cellular service provider, or even law enforcement. By assuming the persona of someone you should trust, they apply pressure to elicit sensitive and valuable information from you.

Fear

Vishing attackers often take advantage of fear to motivate you to share valuable data. They might claim your computer is infected or the organization owes past-due payments to a contractor. Frequently, they substantiate these claims with circumstantial evidence and complicated technical language to further convince you of their legitimacy.

If you fall for one of these social engineering tactics, criminals close the deal a few different ways. You might be directed to visit a “help” website that infects your machine with malicious software. In other cases, you could be instructed to change banking information, such as in the Boulder school district case study. There are also many reports of attackers increasing the pressure and demanding credit card or bank account numbers for further “support” or “processing.”

Prevention

So now that we know how vishing attacks work, what can we do to keep them from succeeding?

1. Stay vigilant: Beware of calls and texts that come from unidentified numbers. Even numbers that look vaguely familiar are often spoofed to establish your trust. Also, remember that information technology support representatives do not call you unsolicited. Unsolicited calls that request personal and sensitive information should immediately raise your suspicions.
2. Hang up and call back: If you receive an unsolicited call requesting sensitive information or encouraging you to take action, it is okay to end the conversation and call back later. Maintaining an up to date, verified contact list and being the person to initiate contact with technical support representatives, third-party vendors, and financial institutions can reduce your exposure to these sorts of scams.
3. Anticipate: Identify departments such as accounts payable, human resources, and finance in your organization that would most likely be targeted by vishing attacks. These departments should receive additional training to enable them to identify and respond to suspicious calls. Running practice drills can help instill personnel with the confidence to call out scammers.
4. Question motives: Think about the caller’s motives, especially unanticipated or unidentified callers. Why do they need the information they are asking for? Why do they not already have it? Pausing to question the caller’s intentions can prevent employees from giving up sensitive information that could be exploited.