Cyber-attacks are not just part of everyday life in companies. Even when opening our private e-mail inboxes, we occasionally encounter peculiar e-mails suggesting that the addressee is required to take urgent action. The e-mail urges the addressee to update personal data, enter account information for the payout of a reward, or click on links. Phishing is no longer unknown among fraud methods. However, the attacks are becoming more and more elaborate. Somewhat less known and therefore more surprising, however, are so-called vishing attacks. Fraudsters are coming up with a lot of new ways to obtain data from their victims.
What is vishing?
The word “vishing” is a combination of the words “voice” and “phishing”. It is an Internet fraud method in which, unlike phishing, contact is not established via e-mail or links. Instead, vishing uses personal conversations during a phone call to obtain sensitive data such as passwords or the victim’s personal information. During the phone call, the person being called may be asked to provide sensitive data or perform transactions. The scammers often build trust in their call partner, use ambush techniques, and exert pressure to obtain the data from their conversation partners during the phone call.
As with phishing attacks, attacks via phone calls have also increased significantly in the course of the pandemic. Employees are moving their work to home offices, and internal communications are also increasingly taking place in the digital world. Employees often lack opportunities to discuss suspicious emails or calls directly with their colleagues. Instead, they must rely on phone calls and emails. For fraudsters, this circumstance offers a potential opportunity for attack.
Technical and emotional manipulation
In vishing, scammers can use a combination of technical manipulation and emotional influence. The methods of approach can therefore vary widely. From a technical point of view, the use of Voice-over-IP (VoIP) can be used both to dial a large number of different telephone numbers automatically and thus without effort and to manipulate the displayed telephone number in such a way that the actual origin of the call is no longer identifiable.
The scammers often pretend to be bank employees, employees of an IT company or a call center. In the course of the phone call, the fraudster can then request confidential data and make the victim believe that this data is necessary, for example, for verification or to solve a made-up problem. It is not uncommon for victims to be specifically targeted and called. In these cases, the scammer collects as much information as possible about his victim before the call, for example via social media. The information gathered can then be used to make the call appear more authentic.
How can I protect myself?
To protect yourself from vishing, a couple of measures can be helpful. It is advisable to have a certain lack of trust towards unexpected phone calls. Never give out sensitive data such as passwords or account information on the phone, and always be aware that cyberattacks can happen anytime, anywhere.
In everyday life, more than a few people become suspicious when they receive an unexpected call. But at work, many are more careless, as unexpected calls are not that uncommon in this context. For this reason, vishing threat is increasing tremendously in times of pandemic and home office. If an employee is under pressure, has a lot to do and wants to get his tasks done quickly, he or she may want to finish the phone call quickly and thus may become more careless. Additionally, if the number being displayed has been manipulated and appears to be from someone in HR, for example, many may fall into the trap totally unaware of the threat. Providing internal training and establishing and adhering to clear guidelines can make a significant contribution to preventing potential damage to the company and ensuring employees are protected.
If in doubt, the person being called ought to hang up and try to contact back the person calling using a telephone number he or she has researched himself or herself. However, some scammers are very clever and are constantly working on perfecting their scam. If you look up a phone number on the Internet yourself, also make sure that the websites where you find this number are not also part of the scam. In some cases, the attackers prepare their attack down to the smallest detail.
Ultimately, it is crucial to be aware of the danger and educate other people about it. By doing so, public awareness can be increasingly raised, and attacks can be prevented. If you are unsure whether you may have been the victim of an attack and have shared critical information over the phone, please notify your IT department immediately. Detected and repelled attacks should be reported as well. Such reports can also help raise general awareness and may sensitize more people to further attack attempts.
To learn more about Internet fraud methods and how to avoid them, check out our tag IT security.
Responsible for the content of this article is Stéphanie Bauens.
Im Rahmen der häufigen “Microsoft” Anrufe ein super Beitrag!
Hallo Jason Camel,
vielen Dank für dein Feedback! Wir freuen uns sehr, dass dir unser Beitrag gefällt und vor allem hilfreich ist.
Einen schönen Tag noch und viele Grüße,
das IT Center Blog Team