Vishing:
Definition and Prevention

December 21, 2022

What Is a Vishing Attack?

Vishing attacks typically use false caller ID profiles to appear as legitimate organizations when they call you. The attacker will try to get as much personal information as possible, and in some cases can get enough to steal your identity. Vishing attacks can be recognized and avoided once you understand how they work. You can take measures to prevent vishing from causing any harm, and you can recover if you’ve already been a victim of vishing.

Vishing and phishing attacks differ mostly in how they interact with a potential victim. Vishing uses phone calls or other voice messaging to convince individuals to provide private information. Once an attacker has your phone number, they will make a call pretending to be a legitimate entity. So, what exactly is a vishing attack, and why do attackers use it?

Vishing and Its Objectives

Vishing, a voice phishing attack, is the fraudulent use of phone calls and voice messages pretending to be from a reputable organization to convince individuals to reveal private information such as bank details and passwords. A vishing attack can also be used against businesses when attackers pretend to be internet service employees to gain access to that business’s passwords and information.

The goal of a vishing attack is to convince the target to provide information the attacker can use for financial gain. This can range from stealing a credit card to stealing an individual’s identity. The goals of vishing when targeting a business are similar — for financial gain — but are often more interested in gaining information about security measures for future attacks. So how do these attackers get your number, and how can they convince people to give away this sensitive information?

How Does a Vishing Attack Work?

A vishing attack tends to follow these 3 steps:

1. Garner Phone Numbers

Typically, this happens through other phishing methods or by reaching private data stored by businesses where people are likely to have given their phone numbers, such as restaurants or retail stores. Sometimes attackers will use software that calls multiple people using a phone number with the same area code hoping someone picks up, confirming their number. When a vishing attack occurs the caller ID profile is fake, making the call seem to be from a local area code or a trusted organization such as a bank.

2. Garner Trust

Whether pretending to be a credit card company, a delivery business or a utility service, the deception is designed to garner trust. This is often combined with an urgent request such as, “an unauthorized user has used your credit card, confirm your identity now to stop charges.” The goal of these urgent messages is to panic the potential victim into responding without confirming the information.

3. Retrieve Personal Information for Financial Gain

If the vishing attack is successful, the attacker will then use the retrieved personal information for financial gain. This could be using a stolen credit card number for purchases or even filing for a new credit card. With the right information, an attacker can steal your identity or empty your bank accounts. Being able to recognize a vishing attack can help prevent attackers from stealing your money.

How to Recognize Vishing Attacks

To recognize a vishing attack you need to understand the ways attackers will try to deceive you and what their goals are. Knowing things that might make you a target, such as a recent technical issue at a business or suspicious emails, can help you keep up your guard. Vishing attacks are designed to get private information and can target individuals and businesses. Being able to recognize a vishing attack in progress is your best defense.

Who Does Vishing Attacks Target?

When targeting a business, vishing attacks focus on new employees, human resources departments, IT departments and call centers. New employees and employees responsible for making calls to other organizations are at higher risk of being targeted. Vishing scammers will often pretend to be technical support and try to convince someone to provide access to computers. Sometimes these attackers will have potential victims install software with malicious code to gain further access to the business.

When targeting an individual, vishing attacks often focus on average consumers who are likely to have an account with a major bank or delivery service. Vishing attacks will often be vague on details to avoid revealing the attacker’s fraud. After all, convincing someone that their bank account is at risk doesn’t work if they name the wrong bank. Attackers will use fear, greed and panic to stop you from recognizing these attacks.

What Are Vishing Warning Signs?

Vishing attacks share many of the same indicators phishing attacks display, which can help you recognize them. These include asking for sensitive information, trying to panic the potential victim and claiming to represent a government agency. Some common pretexts attackers use for asking for your information include account issues and technical support.

The main warning sign of a vishing attack is the caller asking for your information. Some attackers will already have partial information and use that to convince you to share what they don’t know. Always be wary of a caller asking for bank account information, your social security number or other identifying details.

Finally, be aware of the psychological tactics that vishing attacks will use: fear, greed, and a sense of urgency. Threats of imminent arrest or urgent problems with your account are designed to make you act before verifying. Keeping calm when these calls happen and hanging up are the main ways to avoid vishing attacks.

Avoiding and Preventing Vishing Attacks

The most important action to take to avoid vishing attacks is to keep your cool, and not divulge private information. This strategy works well against vishing scammers because it stops their attack in its tracks. For a business, there are additional steps you can take to make sure employees take the right actions to protect the business. Preventing a vishing attack can be as simple as hanging up the phone, but there are additional measures to help avoid them.

 4 Tips to Avoid Vishing Attacks

  • Keep Information Quiet: Don’t divulge login information and passwords, never share passport or driver’s license information. This will keep your accounts and identity safer.
  • Join National Do Not Call Registry System: his is a free service that removes your phone number from unsolicited phone call lists. While vishing attacks don’t follow this list, unknown callers are less likely to be legitimate since upstanding organizations should not be calling.
  • Verify Unknown Numbers: Use mobile applications to verify any unknown number that calls you.
  • Let Unknown Calls Go to Voicemail: Alternatively, you could let unknown calls go to voicemail, then call the party back directly. If it looks like your bank is calling but you are suspicious, call the bank directly and see if it contacted you. Being careful might cost you some extra time, but that cost is better than giving away valuable personal information.

How Businesses Can Prevent Vishing Attacks

The best business tactic to prevent vishing is to practice good cybersecurity. This can start with security awareness training for new employees so they understand the danger vishing attackers can present to a business. Make sure employees know not to give access to their computer except to verified technicians.

By reporting suspected incidents and hanging up when you receive a possible vishing call, you can prevent vishing attacks from succeeding. Successful vishing attacks against businesses can lead to further security risks, so prevention is key. However, if you have already experienced a vishing attack, there are still ways to recover.

How to Recover From a Vishing Attack

The process of recovering from a vishing attack differs depending on when you realize it’s a scam. During an attack or in the immediate aftermath are the best times to react, but recovery is still possible after harm has been done. Reporting the crime is always a good place to start.

Steps to Take While a Vishing Attack Is in Progress

If you are on a phone call and you realize it’s a vishing attack, hang up! Vishing scammers can’t gain access to your computer or personal information if you don’t give it to them. You can always report the number after hanging up and should especially do so if the target was business information.

Steps to Take for Victims of Vishing

For those who have already given their information away due to a social engineering attack such as vishing, there are still steps you can take. The first is to change all your passwords, call your financial institution and report the crime. The Federal Trade Commission wants reports about vishing. Whatever sites and services have the information you gave away need priority attention.

Some accounts use multifactor authentication, and others let you know when a new device accesses your account. Check on these safety measures to make sure they’re still functioning. You should also contact any service providers who have your compromised information, such as credit card companies and banks. Taking these steps should minimize the future harm done by vishing attacks.

 Stay Safe from Attackers

Staying safe from vishing attacks means keeping your personal information secure. This is especially important when dealing with an unknown or suspicious caller. If you suspect a potential vishing attack is occurring, hang up and report the incident. Whether at work or at home, recognizing and avoiding vishing attacks is the best way to stay safe from this type of attacker.

CrowdStrike can help you learn more information about these kinds of attacks. It also provides services that can improve cybersecurity to help prevent vishing and phishing attacks from being successful.