How to detect a vishing attack
Suggested Read (1):
What is Vishing?
The main objective that an attacker wants to accomplish during a vishing attack is to receive confidential/sensitive information. In attempting to do so, an attacker must gain your trust and provide you with comfort before they ask their key questions.
Detecting a vishing attack could easily catch you off guard, especially because so much information is already publicly available and most people don’t expect it to happen to them. However, there are still a few ways to increase your chance of detecting such attacks. If the call is unexpected, you should ask yourself the following questions:
- Is the phone number on the caller ID legitimate? (It can be spoofed, but nonetheless still a valid check)
- What do they want to know?
- If they are asking for something sensitive, can they verify information that only internal employees should know?
While this is not a comprehensive list, the idea is to question everything about the caller: their motives, their questions, their source calling number, etc. The more information you can validate prior to providing any information, the better.
Tips to remember
In addition to the aforementioned questions to ask, these general rules should always be followed:
- Never give your password out over the phone or email. This should be an immediate red flag
- Ask to give them a call back if the number appears to be legitimate. Attackers can spoof any phone number, so calling the number back ensures it’s the real phone number
- Before you provide any sensitive data, verify their identity to the best of your ability
Lastly, if you’re still suspicious of the phone call, just simply don’t participate with the given instructions. An attacker may attempt to make the call seem extremely urgent and required by upper management, but you can always ask your manager or even your IT department directly if you’re suspicious.
Remember, it’s best to be safe than sorry. If you have to go through extra measures to verify a caller as opposed to just simply handing over information, it is well worth it.