What is Vishing?
Vishing is a form of a social engineering attack that is similar to phishing, except it occurs over the phone. During a vishing attack, an attacker calls up an employee and attempts to impersonate a trusted source in order to entice the end-user to either provide information or perform an action. Some of these actions can include interacting with an email, visiting a website, or even disabling security features on their system.
These types of attacks can be just as dangerous as other forms of social engineering attacks. By gaining the trust of an employee, it’s possible to use that information for future calls with other employees. The more trust an attacker gains, the higher the chances are for them to be successful with gaining access to systems or sensitive information.
Here are two examples.
The Anti-virus Vendor
Many employees are familiar with what anti-virus is. They use antivirus software at home and on their work computer, so it’s not that uncommon to expect your organization to use anti-virus. Employees know the importance of having anti-virus software running, so it’s easier for an attacker to play on this information by calling them up and pretending to be one of their anti-virus vendors, such as McAfee or Symantec.
By asking employees if they’re able to see certain things on their computer (which the attacker knows the employee won’t see), they can sometimes convince employees that their anti-virus software isn’t running, especially if they’re not even sure how to check for themselves. Depending on the effectiveness of their user awareness training, the employee may participate with the attacker’s requests with the hopes of getting their anti-virus software running again. These requests sometimes include providing the attacker with information or even performing certain actions on their computer.
The IT Department
It is extremely common for employees to experience issues with their computers. Depending on the size of the organization, they may not even know who their IT department is. That being the case, an attacker could call up your employees and ask them if they’ve had any computer issues over the last few hours or days. We find that employees who recently experienced an issue are more open to explaining the problems they had. By impersonating the IT department and listening to the employee vent, this usually results in the employee trusting the attacker.
With trust, an attacker is able to say things like, “No wonder the computer isn’t running fine. It’s because of XYZ.” After that, it’s much easier to entice an employee to provide information and perform actions on their computer.