Vishing – a portmanteau of voice and phishing – attacks are performed over the phone, and are considered a type of a social engineering attack, as they use psychology to trick victims into handing over sensitive information or performing some action on the attacker’s behalf.
One common tactic is the use of authority. For example, the attacker may pretend to be from the IRS pretending to be calling to collect unpaid taxes. The fear of arrest can cause victims to do what the attacker tells them to. These types of attacks also commonly involve payment via gift card, and have cost victims $124 million in 2020, in the US alone.
While vishing and phishing are both types of social engineering attacks and use many of the same tactics, the main difference between them is the medium used to perform the attacks.
As mentioned above, vishing uses the phone to perform an attack. The attacker will call the victim – or trick the victim into calling them – and verbally attempt to trick them into doing something. Phishers, on the other hand, use electronic, text-based forms of communication to perform their attacks. While email is the most common and well-known phishing medium, attackers can also use text messages (called smishing), corporate communications apps (Slack, Microsoft Teams, etc.), messaging apps (Telegram, Signal, WhatsApp, etc.), or social media (Facebook, Instagram, etc.) to perform their attacks.
Vishing attacks can be as varied as phishing attacks. Some of the most common pretexts used in vishing include:
Like other social engineering attacks, user awareness is essential for prevention and protection. Some important points to include in cybersecurity awareness training are:
Like phishing attacks, training-based vishing prevention is imperfect. There is always the potential for an attack to slip through. However, unlike phishing, vishing is difficult to prevent using technology. Since vishing occurs over the phone, detecting potential attacks would require eavesdropping on all phone calls and watching for warning signs.
For this reason, organizations should address vishing attacks by implementing defense in depth and focusing on the attacker’s objectives. In a corporate context, a vishing attack may be designed to infect an employee’s system with malware or provide the attacker with access to sensitive corporate data. The impact of a vishing attack can be mitigated by putting solutions in place that prevent an attacker from achieving these goals even if the initial attack vector (i.e. the vishing phone call) is undetectable.
Check Point offers a range of solutions that can help organizations to mitigate vishing, phishing, and other related attacks. Check Point’s Harmony Email and Office includes anti-phishing protections and can help detect attempted data exfiltration inspired by a vishing attack. To learn more about how Check Point can protect your organization against social engineering threats, you’re welcome to request a free demo today.