Vishing – a portmanteau of voice and phishing – attacks are performed over the phone, and are considered a type of a social engineering attack, as they use psychology to trick victims into handing over sensitive information or performing some action on the attacker’s behalf.

How Vishing Works

One common tactic is the use of authority. For example, the attacker may pretend to be from the IRS pretending to be calling to collect unpaid taxes. The fear of arrest can cause victims to do what the attacker tells them to. These types of attacks also commonly involve payment via gift card, and have cost victims $124 million in 2020, in the US alone.

What Is the Difference Between Vishing and Phishing?

While vishing and phishing are both types of social engineering attacks and use many of the same tactics, the main difference between them is the medium used to perform the attacks.

As mentioned above, vishing uses the phone to perform an attack. The attacker will call the victim – or trick the victim into calling them – and verbally attempt to trick them into doing something. Phishers, on the other hand, use electronic, text-based forms of communication to perform their attacks. While email is the most common and well-known phishing medium, attackers can also use text messages (called smishing), corporate communications apps (Slack, Microsoft Teams, etc.), messaging apps (Telegram, Signal, WhatsApp, etc.), or social media (Facebook, Instagram, etc.) to perform their attacks.

Types of Vishing Scams

Vishing attacks can be as varied as phishing attacks. Some of the most common pretexts used in vishing include:

  • Account Issue: A visher may pretend to be from a bank or other service provider claiming that an issue exists with a customer’s account. They will then ask for personal information to “verify the customer’s identity.”
  • Government Representative: A vishing attack may include an attacker masquerading as a representative of a government agency, such as the Internal Revenue Service (IRS) or Social Security Administration (SSA). These attacks are typically designed to steal personal information or trick the victim into sending money to the attacker.
  • Tech Support: Social engineers may pretend to be tech support from large and well-known companies like Microsoft or Google. These attackers will pretend to help to fix an issue on the victim’s computer or browser but actually install malware.

How to Prevent Vishing Attacks

Like other social engineering attacks, user awareness is essential for prevention and protection. Some important points to include in cybersecurity awareness training are:

  • Never Give Out Personal Data: Vishing attacks are commonly designed to trick the target into handing over personal information that can be used for fraud or in other attacks. Never provide a password, multi-factor authentication (MFA) number, financial data, or similar information over the phone.
  • Always Verify Phone Numbers: Vishers will call while pretending to be from a legitimate organization. Before giving any personal data or doing anything that the attacker says, get the caller’s name and call them back by using the official number from the company website. If the caller tries to talk you out of doing so, it’s probably a scam.
  • No-One Wants Gift Cards: Vishers will commonly demand payment for unpaid taxes or other fees in gift cards or prepaid Visa cards. No legitimate organizations will request a gift card or prepaid credit as payment.
  • Never Provide Remote Computer Access: Vishers may request remote access to your computer to “remove malware” or fix some other issue. Never provide access to your computer to anyone except verified members of the IT department.
  • Report Suspected Incidents: Vishers commonly will try to use the same scam on multiple different targets. Report any suspected vishing attack to IT or the authorities so that they can take action to protect others against it.

Like phishing attacks, training-based vishing prevention is imperfect. There is always the potential for an attack to slip through. However, unlike phishing, vishing is difficult to prevent using technology. Since vishing occurs over the phone, detecting potential attacks would require eavesdropping on all phone calls and watching for warning signs.

For this reason, organizations should address vishing attacks by implementing defense in depth and focusing on the attacker’s objectives. In a corporate context, a vishing attack may be designed to infect an employee’s system with malware or provide the attacker with access to sensitive corporate data. The impact of a vishing attack can be mitigated by putting solutions in place that prevent an attacker from achieving these goals even if the initial attack vector (i.e. the vishing phone call) is undetectable.

Check Point offers a range of solutions that can help organizations to mitigate vishing, phishing, and other related attacks. Check Point’s Harmony Email and Collaboration includes anti-phishing protections and can help detect attempted data exfiltration inspired by a vishing attack. To learn more about how Check Point can protect your organization against social engineering threats, you’re welcome to request a free demo today.