Vishing Attack: A Guide to Beating the Disguise
Table of Contents
Cybersecurity threats take many forms. Attackers often use technology, like emails or websites, to steal login credentials and other data. Sometimes, they use vulnerable software and exploit those flaws to install malware. Cybercriminals may use a mix of different techniques to carry out a cyberattack. One of the simplest cyberattacks involves manipulating victims through a phone call, resulting in data and financial theft as well as malware infections. Vishing or voice phishing is surging, increasing by 442%, according to a recent CrowdStrike report.
What is Vishing?
Companies often focus on email and text phishing (Smishing), but voice phishing or vishing is a serious threat. Vishing uses phone calls, voice messages, or other audio communications to trick victims into carrying out tasks that benefit the attacker. These can include paying fictitious invoices, providing financial information, or sharing confidential data, including login credentials.
Vishing is a type of impersonation attack. Threat actors use tactics like ID spoofing and deepfakes to impersonate a trusted person or organization, like a company executive or a government body. Vishing is often highly targeted and sometimes known as voice spear phishing. Other times, vishing attacks may target a broader population, basing the attacks on familiar themes like tax season, when people expect to deal with the IRS or another tax authority. Highly targeted vishing campaigns may use the dark web to gather intelligence on the target. Publicly exposed voice excerpts may be bought and sold on the dark web, allowing cybercriminals to create deepfakes of company executives. In all cases, the vishing attacks are used to socially engineer the victims into conforming to the attacker's requirements.
Social engineering is a central part of many cyberattacks. Being able to manipulate human behaviors, like conforming to work ethics and reacting to a trusted person, allows cybercriminals to open doors. The Social Engineering Community runs a Vishing Competition to show how easy it is to manipulate people using a phone call.
Common Vishing Scenarios
Common Vishing scenarios include the following:
C-Level Executive Impersonation
Company executives are often used to target employees in an organization. The outcome is typically financial theft. Cybercriminals will gather intelligence on the executive, often using the dark web or publicly available information. Using this intelligence, they create highly targeted vishing campaigns to execute crimes and extract money from employees in departments like accounts payable. As generative AI has entered the landscape, deepfake voice scams have become increasingly used for vishing attacks. Cybercriminals only need a 30-second clip to create a convincing deepfake audio.
Help Desk or IT Spoof Calls
Vishing scams are frequently used to steal sensitive data, like login credentials. These scams often include spoofed help desk or IT support calls. Employees are manipulated to share login credentials or download malicious software, which can result in account takeover (ATO). A recent attack saw spoof tech support trick users via a Microsoft Teams voice call into handing over login credentials to install ransomware.
Authority Spoofing
Authorities like the IRS, Medicare, Social Security, and other government bodies are ideal brand targets to help make a vishing attack successful. Caller ID Spoofing is used by cybercriminals to disguise their number to make it look like it is from a trusted, authorized organization. The goal is financial theft and data theft.
Deepfake Audio Message via WhatsApp
Vishing can be any fake audio. Recently, WhatsApp has been used to carry out vishing attacks. One LastPass employee received what he thought was a voice message from the company CEO on WhatsApp. Fortunately, this time, the employee was security aware enough to recognize the signs that he was being socially engineered.
Why is Vishing so Dangerous and Successful?
Social engineering attacks manipulate human behavior. For example, attackers may create a sense of urgency, while in the guise of a trusted person, it is natural for someone to react to this situation by attempting to perform the required action quickly. This knee-jerk reaction means that the victim is less likely to be cautious. In other words, social engineering uses psychological methods to control and manipulate people.
Vishing is part of a social engineering attack. Cybercriminals create highly believable audio clips or use phone calls to impersonate someone the victim trusts. Establishing this trusted relationship adds weight to the attack scenario, helping to ensure a successful outcome.
Vishing has another dangerous success factor available - the ability to help bypass MFA (multi-factor authentication). During a vishing call, the attackers trick users into entering their login credentials to a bank or other login portal, such as Microsoft 365, etc. The attackers steal these credentials from the spoof website after they are entered. The attackers then enter them into the real site and generate an MFA response; this will go to the victim's phone. The attackers then encourage the victim to click accept or share the code. The attackers can then access the real account on the legitimate website.
Vishing Outcomes
Vishing attacks have multiple potential outcomes, including the following:
Business Email Compromise
Business Email Compromise (BEC) scams are used to trick company employees into sending money to a hacker's bank account. A BEC deepfake vishing attack involved a UK energy company's Managing Director(MD), who was tricked into transferring €220,000 (USD 243,000) to a cybercriminal. The MD received a phone call that used the voice of the group CEO requesting that the funds be urgently transferred.
Fraud
Stolen spoof tax payments cost US citizens and businesses $30 million annually. Individuals and companies receive vishing calls from fraudsters pretending to be from the IRS, convincing them of outstanding tax payments under threat of prosecution if not paid. The money goes to the fraudster's bank account.
Ransomware Attack
Vishing is often an initial element in a multi-part attack that ends in malware infection. Cisco was a recent victim of a vishing attack. The cybercriminals were ransomware attackers who used vishing to bypass MFA and gain initial entry:
Account Takeover (ATO)
Twitter (now X) employees were part of a vishing attack that resulted in account takeovers affecting notable persons such as Joe Biden and Elon Musk. The attackers also targeted hundreds of other companies at the time, including hundreds of employees at these organizations.
How to Educate Employees on the Dangers of Vishing
Vishing is about social engineering. Without the ability to manipulate and trick people into believing a conversation is real, vishing would not work. Therefore, educating employees is one of the best ways to tackle vishing. Security awareness training is an educational program comprising various elements like interactive videos, quizzes, role-playing, workshops, and often simulated phishing exercises to teach employees how to identify when they are being phished.
Security awareness training should include vishing awareness components. These components will train employees about how vishing works, its outcomes, and how to identify potential vishing attacks. Vishing awareness should also include vishing simulation exercises, which create simulated vishing scenarios using spoof phone calls to test employees' reactions.
Other Measures to Protect Against Vishing
As well as vishing awareness training, companies should introduce the following measures to mitigate vishing attacks:
Checks and Balances
Create processes to double-check money transfers or when sharing confidential or personal information.
Dark Web Monitoring
Use a dark web monitoring tool, like Sentinex, to check for any stolen voice snippets that could be used to clone voices. Dark web monitoring tools can also be used to identify any stolen company data that could be used to target a company.
Limit Voice Exposure on Public Platforms
Limit voice-based media online to reduce the chance of a deepfake voice being created. This is especially important for executives.
Robust Identity Management
Passwordless or biometric login can limit exposure if login credentials are stolen. Also, the enforcement of least privilege access, where access is controlled on a need-to-know basis, can help mitigate some attacks if a vishing successfully socially engineers an employee.
FAQs
What Do Vishing, Smishing, and Phishing Have in Common?
Vishing and smishing (text-message-based phishing) are all forms of phishing. Phishing is a tactic used by cybercriminals to manipulate individuals into performing a task that benefits the attacker. Tasks include clicking on malicious links, providing login credentials to attackers, and agreeing to hand over money or data. Vishing, smishing, and phishing all involve some form of social engineering/behavior manipulation.
Why Are Deepfakes Used in Vishing?
Vishing attacks benefit from abusing trust between people, for example, an employee's trust in a company executive. Deepfakes use an original snippet of the voice of that trusted person and AI to manipulate the voice in real time to trick the victim into believing it really is the voice of their CEO.
Why is it Important to Educate Employees About Vishing Attacks?
Vishing depends on manipulating human behavior. As such, vishing awareness training is essential for preventing these attacks from exploiting a company's resources or causing other damage, like ransomware infection. Vishing awareness training educates employees about how vishing attacks work, giving them the knowledge needed to identify the attack and stop it before it becomes an incident.