It’s called Voice Phishing, or more simply, Vishing. That’s where a threat agent, either working alone or as part of an organized cybercriminal gang, manages to contact an individual by phone and con them into divulging protected information or account login credentials. These bad actors are experts and use an array of social engineering techniques to get what they want.
The Rise of Vishing
While vishing has been a common practice in the consumer world (think car warranty or IRS robocall scams), criminals are increasingly turning their attention to the far more lucrative target of company employees. And they are meeting with a surprising level of success as evidenced by a startling rise in reported attacks over the past several years punctuated by a recent string of high-profile vishing-enabled hacks inflicted on the likes of Twitter, Twilio, Cisco, Robinhood and Uber (and those are just some of the ones that have made it into the public eye – let’s face it, most organizations are loath to reveal they have been hacked unless forced to).
What’s at Stake in a Vishing Breach?
In all of those cases, the victimized companies have delt with, or are still dealing with, fallout from resulting data breaches, operational disruptions, costs of mitigation, reputational damage, stock price hits, even suits and fines resulting from failure to adequately protect customer PII. And the fact is, the damage is not over, as data harvested from these successful attacks will likely be used to perpetuate future crimes. One hack leads to another.
So how come, with the enormous expenditures companies are putting forward to secure their IT infrastructure and digital networks (think $172 billion), can’t the threat of voice phishing be stopped?
The answer is simple: cybercriminals have discovered that humans are far easier to crack than firewalls.
This recent study showed that more than 37% of vishing attempts will actually succeed at extracting the desired action from unsuspecting human targets. When combined with a phishing email (hybrid phishing/vishing), the success rate rose to 75%.
Add to that the findings of this Stanford University study revealing 50% of surveyed employees admitted that they are “very” or “pretty” certain they have made mistakes at work that could have led to a security issue for their company. The fact that nearly half of US organizations reported data breaches in the past year points to one clear conclusion: Humans are the critical weak link in enterprise cybersecurity defense.
To be clear, vishing as a criminal art has steadily evolved as easy access to personal data has become more prevalent. Perpetrators, already able to spoof their Caller ID to look like something familiar to their target (neighbor spoofing), are now also able to add greater credibility to their impersonations once contact is made through personal information they have harvested from social media or the Dark Web’s vast repository of stolen data. Add to that skillful psychological manipulation (also known as “social engineering”), and their approach and subsequent successes at coaxing valuable information from their human targets are, all too often, met with little resistance.
Vishing has become a growing business, and for many reasons:
- The telephone call is a powerful and convincing way to manipulate other humans.
- Through the telephone, cyber criminals have 24 x 7 x 365 access to connect directly with employees.
- It only takes one successful connect in a mass calling campaign to perpetrate a massive hack.
- Threat agents, especially when operating overseas, take cover in the anonymity of VoIP calling.
- Successful attacks are enormously profitable and come with minimal cost or risk to the assailant.
- Most organizations have no protections in place for their voice networks.
Vishing is Adapting & Evolving
What’s more, vishers are masters at changing their approach as new vulnerabilities are discovered.
In its most basic form, vishing involves a direct call from a bad actor, usually impersonating a trusted source such as IT or Human Resources and armed with information about the targeted employee which provides credibility for their deception.
These attacks are often preceded with a string of “reconnaissance” calls hitting throughout the organization in search of good (i.e. high value, yet vulnerable) targets.
Then there is the “response based” approach, which may entail an email disguised to look like an internal communication, or a robocall with a spoofed caller ID, bearing an urgent request to call back a specified number. In either case, any recipient who takes the bait and makes the call-back will be connected to a criminal co-conspirator agent trained to extract protected information.
More recently, there has emerged a new hybrid response-based approach that combines an email or SMS text (smishing) and related live phone call with the same message so victims are more likely to trust its legitimacy and level of urgency. In fact, according to a Phishlabs report, such attacks have skyrocketed 625% over the past year with no signs of abating.
The Next Target
The truth is, it is no long a case of “if” vishers target your organization, but “when.” Are you ready? Because until enterprise IT and security professionals begin to put the same effort into protecting their voice networks and human endpoints as they do their data networks, vishers will continue to strike, posing a real threat to corporate assets, operations and people.
About the Author
Janet O’Brien joined the Mutare family in 2007 following 25+ years as a career writer, editor, photographer, and marketing specialist for an array of public and private organizations throughout the Chicago area. She has a passion for helping organizations tell their stories and has found in Mutare’s brilliant technology, caring people, and devoted fans, a virtual anthology of inspiration. Read more at mutare.com, or feel free to share your own stories on LinkedIn.