Don’t be Vulnerable to Vishing – Identify and Mitigate Risk


In this post, you’ll learn why vishing is successful and what you can do to mitigate the risk of being vished. Vishing is a form of social engineering. Much like phishing, it can be used to manipulate people into giving away usernames, passwords and sometimes bank details.

Vishing: Exploitation by voice commands

Vishing is the act of manipulating a person into giving them sensitive information over a phone call. It can be used as a standalone attack or part of a bigger attack where it is used to gather information and provide a pretext for future attacks.

Pretext: providing a legitimate reason for doing something with a hidden intent.

Why does it work?

In short, there is no firewall for a telephone call. Unlike phishing it happens in real-time, meaning the attacker would need to be discovered trying to get information before the victim provides it. Vishing is less popular than phishing and therefore companies spend less time teaching staff how to spot a vishing attack. Also, the attacker will learn as much as they can about your business from the names of staff members to names of business partners to create a believable pretext

Another reason is a phone call has a bigger sense of immediate response compared to an email. During a phone call, people have a natural desire to respond to questions as they are asked, giving them less time to think about whether they should answer the question. In my opinion, it comes down to how people are trained to be helpful and responsive when on the phone, not to question and think about what questions are sensitive.

There is also an element of awareness, where employees are not always aware of what information is sensitive. For example, if you use a third-party IT team for all computer problems an attacker could ask for the name of this team to assist in a future pretext attack where they impersonate that IT company. During a phone call, with limited time to think, this type of information may come across as irrelevant but can result in a complete compromise of a business.

Signs of a vishing attack

Skilled social engineers will appear to blend in with very little indication that they do not belong there. However, there are signs of a vishing attack can help identify when a vishing attack is happening:

  1. There is a sense of urgency: attackers will provide the illusion of urgency making you feel you have to answer now, or you will be worse off for it.
  2. They won’t want you to call back on the “official” number: If a social engineer is posing as your IT team, they will want to give you a personal number and will suggest it is the best way to contact them.
  3. They don’t want to answer a lot of questions: An attacker will try to respond with generic answers so they can keep to the pretext they have developed.
  4. They will be nervous: This will be more likely with inexperienced social engineers who are not confident in portraying their pretext.

How to protect yourself and your business against vishing attacks

  1. Conduct vishing tests against employees to see how they respond when asked for sensitive information. This will help you understand where your weaknesses are.
  2. Conduct workshops to train employees on how to spot and deal with a vishing attack. This will increase their effectiveness in preventing vishing attacks from acquiring information.
  3. Setup secret phrases that change daily that only employees and specific third-party companies can access. This makes it harder for an attacker to successfully impersonate employees and third-party companies.

How Risk Crew can help

Risk Crew provides a portfolio of services that can help you mitigate the risk of vishing within your business. The eRiskology staff awareness programme will educate your employees to identify vishing and other attacks. This robust programme creates a cyber-secure culture within your organisation. We also provide Social Engineering testing that benchmarks the security awareness level of your end-users to give you insight into where your weaknesses lie and provide remediation recommendations.

CREST Penetration Testing

Risk Crew