Five Important Things to Know About Vishing

This article, originally written by Brian McDonald, originally appeared in HDI, a partner publication. 

With each new technology comes a new scam to exploit the vulnerabilities of businesses and people. Just as we were beginning to learn to adapt to password-centered hacks, vishing has become an emerging threat. Here, we ask a few questions of a security expert about this new, voice-centered cyberthreat. 

There have always been voice-centered scams. What technological advancements have made this so much more effective as a scam?

The transition from analog-based, wired telephone communication to digital Voice over Internet Protocol (VoIP) has been a huge boon for business. At the same time, it has provided a much easier pathway for bad actors using auto-dialers, pre-recorded messages, VoIP-enabled Caller ID spoofing, VoIP bandwidth, and untraceable overseas call centers to reach thousands of potential victims with little effort, cost, or risk. These are your classic scam robocall campaigns that have become so ubiquitous over the past few years.

However, voice phishing scammers, or “vishers” as they’ve come to be known, have become increasingly more sophisticated, and direct live calls from bad actors have now emerged as a much more prevalent, and more dangerous, threat. Sophisticated scammers are even using AI and voice-altering technology to further mask their identity and evade voice biometrics detection deployed by caller authentication services.

What’s more, they now have a trove of personally identifying information (PII) harvested from public records or the Dark Web to fortify their deceptions and build trust with their victims. They are masters at manipulation and use that trust to eventually con their targets into divulging account or network access information.

So yes, vishers are certainly using technology to their advantage. But it’s actually their proficiency with psychology, more than technology, that ultimately determines how successful they will be at getting what they want.

What are some examples of damage done by this scam?

Vishing attacks that result in a data breach are a threat to organizations on many levels. There is obvious financial loss if the breach results in a ransomware event or account takeover, along with costs to mitigate. If PII or customer account information is exposed, damages can be significant in terms of fines and lawsuits. In cases where the breach becomes public, there is fallout from reputational damage, customer loss and stock devaluation.

When Twitter revealed it had some of its most prominent accounts hijacked by vishers launching a bitcoin scheme back in 2020, its stock fell by $1.3 billion in a single day. Since then, Twitter has been targeted by hackers on multiple occasions, with the latest successful breach just this past January. Then there is the Robinhood hack - it was already facing a $20 million class-action lawsuit based on a 2020 hack. The following year, it was again attacked by a visher. That successful hack exposed the personal information of  one-third of its customer base.

Similarly, Twilio was victimized in 2022 by a hack perpetrated by bogus password reset instruction links sent directly to employee phones. Upon further investigation, it appears the hackers likely obtained those employee names and related cellphone numbers through an earlier vishing-perpetrated intrusion. One hack then leads to another as costs climb.

It's hard to estimate the full extent of damage but,  according to the IBM “Cost of a Data Breach 2022” report, it takes companies an average of 277 days to identify and fully contain a breach, and the average cost for full recovery tops $9.4 million.

What are some cues or warning signs that the call might be vishing?

By now, we’ve all heard enough about IRS and car warranty scams to be wary of those calls and, in fact, we have learned to simply not answer calls on our personal phones from unknown sources. But in business, it’s a whole different matter. Employees, especially in customer-facing roles, do not have the luxury of ignoring phone calls. Still, there are some red flags.

If you take a call, even if it appears to be from a trusted source and you feel you are being pressured into providing information because the matter is “urgent” or the caller is highly emotional, that is a bad sign.

Recently, vishers working with co-conspirators have been deploying a hybrid approach using an email containing credible information about the recipient and then immediately following that up with a live phone call delivering the same request so victims are more likely to trust its legitimacy. Any urgent email followed by a related phone call should be suspect.

As employees have become more alert to the signs of an illegitimate pressure campaign by a vishing caller, some vishers are now adjusting their strategy, identifying a high-value target and then making multiple friendly calls to that same person with benign requests in order to build up a rapport. Once that trust is established, they will go for what they are really after, such as password assistance, VPN access or help accessing an account.

The fact is, employees, especially those in customer-support roles, are caught balancing the need to treat callers with caution without offending a legitimate customer. We are finding the visher is a master at taking advantage of that ambiguity.

What procedures can you put in place to lessen the risk of someone in your organization falling for this scam?

Employee education is a good first step, but it should be augmented with other practices that prevent criminal exposure. You can see some of the threat-mitigation practices suggested by the FBI in its TLP:WHITE Private Industry Notification (PIN) report.

Since that report was issued, there have been a number of significant technological advances in voice traffic data analysis that can identify suspicious calls based on their SIP data and calling patterns. Unlike systems that simply label a call as suspect, an effective voice traffic filtering system that detects and deflects those calls before they ring through can significantly reduce the opportunity for bad actors to reach their human targets in the first place.

What should you do right after the call is over if you think you've fallen victim to this scam?

No one wants to admit they’ve been scammed, especially if that indiscretion could possibly lead to a security breach for the organization. But that is exactly why it is so essential that such an event be reported immediately to security personnel - the sooner a potential breach can be investigated, the less chance it has of causing real damage.

Whether preventing a breach in the first place or responding to an actual incident, security experts recommend, at the very least, organizations have the following in place:

A comprehensive incident response plan that clearly defines roles and an action plan in the event of a reported breach.

A clear message to employees of the importance of reporting any suspicious calls since attackers are likely targeting multiple individuals. To that end, any reported breach attempt should be immediately communicated companywide by the security team so other potential employee targets are on higher alert.

When receiving a report of an actual breach, internal investigators must work to determine the potential for damage, including which internal systems may have been compromised and what other agencies, such as financial institutions, vendors, or business partners, may be affected. If any PII has been exposed, the organization is legally required to report that to the affected individuals. Depending on the depth of intrusion and type of data compromised, federal agencies may need to be alerted. Specific directions should be obtained through your state’s attorney’s office since legal requirements vary by state.

As Security Officer for Mutare, Brian McDonald is responsible for company policies, technologies, and training to assure all company operations adhere to rigorous data protection and privacy measures.