What Is a Vishing Attack, and What Does It Look Like?
Vishing attacks can take many forms, but the hallmark of vishing is unsolicited telephone calls to your employees. Usually, these phone calls pretend to be from a legitimate organization that your company may work with already. More sophisticated vishing attacks will spoof the caller ID as well. Some examples of vishing attacks include:
- The bank scam. In this vishing attack, someone calls a representative of your company, pretending to be from the bank that processes your payroll checks. The scammer then claims that something has gone wrong with the payments: perhaps there was an error or a data breach. In this scam, the scammer's ultimate goal is to get your company's banking information (which can include usernames, passwords, bank account numbers, and more).
- The IRS scam. We've all gotten those robocalls that claim to be from the IRS. Most of these vishing attacks aren't very sophisticated, opting instead to contact as many people in as short a period of time as possible, but some of them do spoof legitimate IRS phone numbers on the recipient's caller ID.
- Tech support. Vishing attacks can also impersonate your own company. This is particularly common in spear-phishing and whaling attacks. The scammer usually claims that some work needs to be done on an employee's computer, and then directs the recipient to a fraudulent website, where they download malware that infects their computer, potentially compromising the entire network.
Companies that maintain inbound call centers are at particular risk from vishing attacks, as they handle a high volume of calls daily, and many of them have policies that prohibit workers from being the ones to hang up. If you run an inbound call center, make sure to establish user verification and train your call center's employees on the threat that vishing poses to your company.
Examples of Real-Life Vishing Attacks
Vishing attacks can devastate even the largest companies. Here are just a few examples of how vishing has changed the landscape of companies that do business on the Internet.
- Perhaps the most famous vishing attack was against Twitter in 2020. This attack targeted 130 verified Twitter accounts of public figures, eventually tweeting from 45 of them and wrecking havoc from well-known, public figures.
- In 2015, Dr. Thamar Eilam Gindin (an Israeli expert on Iran) received a telephone call requesting an interview with the Persian branch of the BBC. This phone call routed her to a Google Drive document that requested her password. Once the attackers had her password, they were able to access her entire account,
- Also in 2015, a legal firm in the UK lost more than £750,000 to a targeted vishing attack. This eventually led to the solicitor in charge of the practice losing her license to practice law.
- In 2020, a vishing attack targeted AT&T. The scammers pretended to be customers who were interested in changing their mobile provider. This attack compromised AT&T user passwords and financial information as well as the direct theft of money from the users' accounts.
How Do I Protect My Company Against Vishing?
Unfortunately, there is no way to prevent scammers from attempting to call your company. There are two primary ways to mitigate the effects of vishing: you need to train your employees to recognize the signs of a vishing attack, and you need to implement technical solutions to prevent the calls from getting through in the first place.
It's always a good idea to have regular security awareness training for all of your company's employees, regardless of their job title or responsibilities. What this training looks like will vary based on the size and particular needs of your company, but no matter what, you'll want to train your employees to never provide sensitive information over the telephone. Teach them about the forms that phishing and vishing attacks can take. If you have it in your company's budget, consider running a phishing simulation to see how many of your employees fall for it. The results may be surprising.
On the technical end of the spectrum, you can prevent scam calls from reaching your employees in the first place. You want to choose a vishing protection solution that will scale up as your company grows, and one that automates as much as possible.
What Should I Do if My Company Is the Victim of Vishing?
If your company has been the victim of a vishing attack, the first thing you should do is change any credentials (such as usernames and passwords) that have been compromised. Keep regular backups of all company technology. If your company's payroll information has been compromised, you will also want to set up new accounts with the bank. Alert your employees to the vishing attack, as it may be the first stage of a multi-pronged attack. Finally, you should report the vishing attack to law enforcement (especially the Federal Trade Commission and the Internet Crime Complaint Center).