VISHING 101

DEFINITIONS

WHAT IS VISHING?

Vishing attacks are directed at specific individuals and employ social engineering techniques, often in combination with spoofed caller IDs and personal information gained through other hacking attacks. They manipulate the call recipient into a false sense of trust in order to extract from them sensitive or protected information. When perpetrated on an employee (who may be particularly vulnerable when in a helpdesk, customer or tech support position), the damage could be catastrophic with prospective loss of proprietary information, financial theft, public relations fallout and costly exposure to regulatory breach.

HYBRID VISHING

Tandem approach using email and related live phone call with the same message so victims are more likely to trust its legitimacy and level of urgency.

Similar to the above scenario, in this case the adversary, often working with a teammate, delivers an email to targeted employees with enough personal information to lend it credibility and then follows that with an immediate phone call delivering the same message. An employee may be suspicious of one approach or the other, but when in combination, it provides a greater sense of legitimacy and urgency. Again, if a voice connection is made, the skilled criminal visher uses social engineering techniques to coerce the employee into divulging sensitive information or providing access to internal systems and data.

Callback Phishing

Callback phishing, also referred to as telephone-oriented attack delivery (TOAD), is a social engineering attack that requires a threat actor to interact with the target to accomplish their objectives. This attack style is more resource intensive, but less complex than script-based attacks, and it tends to have a much higher success rate.

Autodial Robocall (Wardialing)

Recorded voice message with an urgent or threatening tone demanding an immediate call-back and delivered to a large pool of recipients via computer-generated autodial calling.

In this basic, automated approach, the adversary, using a spoofed (digitally altered) Caller ID, delivers an urgent pre-recorded message via auto-dialer to specific regions or sequential numbers within the organization’s exchange range (also sometimes referred to as “wardialing”). The message appears to be from a trusted source such as a bank or government agency, and includes a call-back phone number. If the victim calls that phone number, they will be connected to a call center agent who is a criminal co-conspirator. That agent, or scammer, in turn, attempts to trick the employee into handing over system credentials, user information, personally identifiable information, credit card account numbers or even direct funds transfers.

Neighbor Spoofing & Enterprise Spoofing

A scam robocall campaign targeting a specific population that includes a spoofed caller ID/Caller Name that resembles a source likely to be trusted by individuals in that group.

In addition to the above scenario, the vishing attacker might specifically modify the Caller ID to resemble the call recipient’s area code or business number prefix, increasing the likelihood that an employee would trust it and return the call to a presumed colleague (a tactic known as “neighbor spoofing”). In this case, the recorded message would impersonate an internal source, such as a member of technical support or human resources, and request a call-back about a supposed issue that needs immediate resolution. The adversary can also modify the Caller Name (CNAM) to reflect an organization or agency familiar with that company (known as “enterprise spoofing”) and deliver a message requesting immediate call-back due to an urgent matter with, for instance, a corporate account, tax matter or legal issue. In either case, the nefarious agent fielding the call-back would then follow a script designed to extract revealing personal information or login credentials. The goal of these attacks, at the very least, is to harvest private information that can then be used to perpetuate future fraud, but the ultimate prize is access to the organization’s internal networks and data repositories.

Direct Call Enhanced by Social Engineering

An attack on a targeted individual from a live caller impersonating a trusted source. The threat agent uses personal information about their victim to boost credibility, then applies psychological manipulation to trick them into divulging protected information.

Vishing calls can also be perpetrated by an individual targeting specific employees that they have identified as particularly valuable conduits to internal systems or data. In these cases, the adversary, posing as a trusted internal source (technical support, human resources, upper management), has already armed him/herself with information about the targeted employee harvested from public sources, social media accounts, or purchased on the Dark Web, in order to establish credibility. They are skilled at impersonation and psychological manipulation (known as “social engineering”). Customer service and contact center employees are a favored target of these scammers, due to their mandate to answer calls and “need to help” mindset. New employees are also at risk as they are less familiar with organizational norms and players, and may be more deferential to a perceived superior. Remote workers, too, are attractive targets due to their physical isolation both from officemates and the protective barriers of corporate office firewalls.

Response-Based Vishing

An email appearing to be from a trusted source and including a call-back number that connects the victim to a co-conspirator call center agent trained to extract protected information from their target.

While employees have learned not to click on unfamiliar links and many know not to respond to requests from unsolicited callers, they may feel safer if the link is a phone number, not a webpage, and they are making, rather than receiving, the phone call. Per above, that phone call connects them to a criminal agent skilled at social engineering manipulative techniques designed to extract information that could provide access to the organization’s internal systems.

Spear Vishing for VPN Access

Live call from criminal agent impersonating tech support. The caller tricks victims into logging into a fake VPN page in order to steal and use those login credentials for access to internal drives and networks.

At the height of the COVID-19 crisis and the sudden move to work-from home, vishing attackers found a new and lucrative attack tactic: targeting specific remote workers, particularly those new to the organization, in a scheme to gain VPN access to the organization’s networks. Armed with specific information about the employee, often gleaned from social media sites such as LinkedIn or Facebook, the attackers, usually posing as IT technical support, called and convinced their victims to log into a fake webpage designed to resemble a “new” VPN login page. Once the employee had logged in with their credentials, the attackers managing the fake page then stole those credentials, logged into the actual corporate VPN, and either downloaded as much internal data as possible or inserted network-destroying malware as part of a ransomware attack. The alarming growth of this form of “spear vishing” (vishing directed at a target individual) attack prompted this FBI warning alerting businesses of the potential threat. Nevertheless, this vishing scam continues today as remote work has become the new normal.

Voice Spam

The term voice spam is the blanket term that refers to any sort of unsolicited/unwanted phone calls. Under the Voice Spam umbrella comes many forms of unwanted calls, ranging from computer generated robocalls to potentially dangerous scam calls or phishing schemes trying to ascertain your private information.

Spoof Calls

Spoof Calling is when you receive a call from a phone number that looks similar to your area code and exchange (the first six digits of your phone number) or a caller ID displaying the name of a nearby town or local business. However, the person on the other end is neither a neighbor nor legitimate business caller. The caller is typically a spammer trying to lure you into a scam.

Smishing

Smishing is the fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers.

Robocalls

Appointment reminders, flight cancellations, and other informational calls are legitimate forms of robocalls. However, illegitimate players are leveraging Voice over Internet (VoIP) technology to generate thousands of robocalls to random numbers from an auto dialer. Their messaging, at best, is intended to elicit a purchase but, in growing numbers, is designed to lure the call recipient into a scam. Scammers often employ caller ID “spoofing” to disguise their identity, replacing their source ID with one showing a familiar area code or person (neighbor spoofing), or business name (enterprise spoofing) to entice recipients to answer.