How Vishing Attacks Impact Your Business

February 17, 2022 | By IANS Faculty

Vishing attacks (phishing via phone) have become a serious infosec threat impacting both public and private sectors across every vertical. Vishing techniques are increasingly sophisticated and can now more easily bypass many organizations’ prevention tactics to exploit employees. Security teams must understand how the latest vishing methods target their organization, the risks involved, and how best to update their anti-phishing strategies.  

This piece provides an overview of current vishing attack techniques and how they impact businesses to help identify attacks and build a comprehensive anti-phishing strategy.

How Vishing Targets Business 

In the past, vishing focused on convincing consumers to divulge sensitive information, like banking account info, credit card numbers or passwords. As reported by the FBI, vishing attacks have aggressively targeted business since the shift to remote work—leaving both remote and office employees at greater risk. To make matters worse, many security teams are not adequately prepared for a vishing attack and its resulting impact on the business. 

Examples of Vishing Attacks Against Businesses 

Research – Setup – Call – Attack 

Vishing attacks usually begin with a call to an employee’s business or mobile number, and they often end by funneling the employee’s sensitive information directly to the attacker.  However, much work goes on behind the scenes to execute a successful “vish.” 

Vishing attacks gained traction against businesses in early 2020, when a notorious vishing campaign targeted specific companies through fake VPN sites to gain internal VPN logins. Attackers created employee profiles with social engineering tactics and posed as an IT employee using spoofed numbers. They advised victims to sign into the “new” VPN page, and once they did, hackers stole their credentials and used them to access the organizations’ networks. 

This method together with a lack of in-person verification made VPN attacks very rewarding and instantly popular for attackers. A prime example was the Twitter account breach in mid-2020, which used social engineering and vishing focused on well-known public figures and resulted in major bitcoin fraud.  Similar techniques worked successfully on several different industries, and now vishing attackers work as groups, offering less-skilled attackers a range of specialized services, from intel gathering to voice acting. 

Vishing attackers are highly trained and organized, and use increasingly creative tactics to take advantage of vulnerable security protocols and trusting employees.  Besides VPN campaigns, other traditional vishing techniques include: 

  • VoIP and caller ID spoofing: Creating fake numbers that appear to be local with caller ID to pose as IT staff and convince employees into giving up their passwords. 
  • War dialing: Using software to call specific groups, leaving urgent voicemails regarding a security issue and prompting the victim to call back. 
  • Stealing Information:  Going through company trash to find sensitive documents and emails to help create convincing vishing conversations. 

How Vishing Attacks Impact Business 

Vishing can have a deep impact to an organization, beyond just stolen login credentials, passwords, account numbers and proprietary data. For example, it can lead to ransomware attacks when the visher sells the stolen credentials on the dark web. Vishing also lays the groundwork for hackers to launch other secondary crimes including: 

  • Delivering malware and ransomware 
  • Data theft 
  • Cyber extortion 
  • Financial theft and fraud 
  • Malicious deletion and general disruption of a business for spite 

Hackers can sometimes manage to gain unrestricted access to your entire network, placing all the organization’s data at risk.  


READ: Understand the Differences Between Spear-Phishing and Phishing 

 


Prevent Business Vishing Attacks 

Vishing tends to fly under the radar. Fake VPN sites disappear after an attack and employees may not report suspicious phone calls. Vishing attacks focus on high-value business targets, such as call centers, IT administrators, accounts payable, sales, HR, executive management and especially employees new to the company.  An initial vishing prevention checklist includes:  

  • Update awareness programs with simulations to train employees to spot vishing  
  • Use technology to block unknown numbers and robocalls 
  • Add mobile apps to route calls to your company’s VoIP 
  • Adopt MFA on all services and accounts or use FIDO tokens  
  • Restrict VPN connections to company-managed devices only, and block all others  
  • Limit VPN access with time windows and geolocation rules 
  • Employ domain monitoring to help prevent domain spoofing 
  • Scan and monitor web applications for unauthorized access and suspicious activity 

 

READ: How to Conduct Vishing Test Exercises

 

Prepare the Business for Vishing Attacks 

Vishing attacks are so well organized and executed that security teams should work now to ensure employees are properly trained and have a security strategy in place. Awareness is your first and strongest defense against vishing. Training should include strict security protocols about exchanging information, especially around IT VPNs, logins and financial accounts. Let employees know it’s OK to end suspicious calls and report the call as a vish.  This helps IT security teams build effective anti-vishing programs to stop vishing before it causes damage. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice. 


Access time-saving tools and helpful guides from our Faculty.


IANS + Artico Search

Our 2024-2025 CISO Compensation and Budget Benchmark Survey is Live!

Subscribe to IANS Blog

Receive a wealth of trending cyber tips and how-tos delivered directly weekly to your inbox.

Please provide a business email.