What is a Vishing Attack? How to Stay Safe from it?

Phishing is the most known and common technique for data theft and hacking. However, as the day progresses, more and more new techniques evolve. Vishing is one of them, it’s phishing done or initiated over a voice call. Let’s know more about this and ways to stay safe. 

Vishing vs Phishing

While vishing and phishing are both types of social engineering attacks and use many of the same tactics, the main difference between them is the medium used to perform the attacks.

As mentioned above, vishing uses the phone to perform an attack. The attacker will call the victim or trick the victim into calling them, and verbally attempt to trick them into doing something. 

Phishers, on the other hand, use electronic, text-based forms of communication to perform their attacks. While email is the most common and well-known phishing medium, attackers can also use text messages (also called smishing), corporate communications apps (Slack, Microsoft Teams, etc.), messaging apps (Telegram, Signal, WhatsApp, etc.), or social media (Facebook, Instagram, etc.) to perform their attacks.

Different Types of Vishing Scams

Vishing attacks can be as varied as phishing attacks. Some of the most common pretexts used in vishing include:

Account related Issue: Someone may pretend to be from a bank or other service provider claiming that an issue exists with a customer’s account. They will then ask for personal information to “verify the customer’s identity.”

Fake Government Representative: A vishing attack may include an attacker masquerading as a representative of a government agency, such as the Internal Revenue Service (IRS) or Social Security Administration (SSA). These attacks are typically designed to steal personal information or trick the victim into sending money to the attacker.

Fake Tech Support: Social engineers may pretend to be tech support from large and well-known companies like Microsoft or Google. These attackers will pretend to help to fix an issue on the victim’s computer or browser but actually install malware.

How to Recognize It’s a Vishing Call?

It’s sometimes difficult for people to tell when they are being vished. Victims often don’t realize the helpful person on the other end of the phone is conning them until after they’ve handed over their credentials. However, there are some warning signs that can help them spot potential frauds.

In many cases, callers are self-appointed experts or authorities in their fields. They can masquerade as computer technicians, bankers, police, or even victims themselves.

However, if these callers are legitimate, it shouldn’t be difficult to authenticate their professional affiliation with a simple phone call. If they can’t or won’t provide the information necessary to verify their identity, they can’t be trusted. If they do provide contact info, it’s still important to independently verify the legitimacy by using an official public phone number to call the organization in question.

Although it’s tempting to give in under pressure, a frantic sense of urgency is a huge red flag. Users should take a couple of deep breaths, and then write down any information the person provides on the call without providing any details of their own. Again, they can access third-party sources to find a public phone number to call for verification.

Recipients of these calls also shouldn’t click on links in emails (phishing) or in mobile phone SMS text messages (Smishing) the person on the phone might send. Any correspondence is likely to contain “hooks” that download malware that could take control of computer systems, steal user credentials, and even spy on users.

If consumers receive unsolicited calls from anyone offering any type of computer service, they shouldn’t attempt to call back using the same phone on which they received the call.

Phone technology now exists that locks a victim’s phone line after hanging up and redirects their next calls to the fraudulent caller. People who believe an issue could be authentic should use another phone to call a publicly acknowledged phone number.

Preventing Vishing Attacks

While it’s somewhat easier to prevent phishing attacks using technology, for vishing it’s not the same as it takes place in a direct call with the user. So, prevention and awareness is the key thing here. As a person you should be aware of these scams and be protective about your personal data. Here are some advices to follow-

Never Give Out Personal Data: Vishing attacks are commonly designed to trick the target into handing over personal information that can be used for fraud or in other attacks. Never provide a password, multi-factor authentication (MFA) number, financial data, or similar information over the phone. Never ever no matter what!

Always Verify Phone Numbers: Vishers will call while pretending to be from a legitimate organization. Before giving any personal data or doing anything that the attacker says, get the caller’s name and call them back by using the official number from the company website. If the caller tries to talk you out of doing so, it’s probably a scam.

Beware of Gift Cards Trick: Vishers will commonly demand payment for unpaid taxes or other fees in gift cards or prepaid Visa cards. No legitimate organizations will request a gift card or prepaid credit as payment.

Never Provide Remote Computer Access: Vishers may request remote access to your computer to “remove malware” or fix some other issue, specially to some unknown unrecognized unauthorized person. Never provide access to your computer to anyone except verified members of the IT department.

Report Suspected Incidents: Vishers commonly will try to use the same scam on multiple different targets. Report any suspected vishing attack to IT or the authorities so that they can take action to protect others against it.