EARLIER THIS YEAR, the FBI warned SMBs about an uptick in voice phishing, or “vishing,” attacks whereby scammers use phone calls to convincingly elicit passwords and gain access to critical data. The low-tech nature of vishing tactics is attractive to some scammers who might not fit the typical hacker stereotype.
“With phishing, scammers would need some programming skills,” says Diana Giles, owner and president of Edmond, Okla.-based Skyline IT Management. “But with vishing, the scammer’s time is taken up more by dealing with people on a one-on-one basis.”
With phone calls, it’s also tougher for MSPs to protect clients. In her consultancy work, Giles experienced first-hand the damage done when a residential client revealed usernames and passwords. “She just fell for a phone call,” Giles explains. “None of their security software would have helped prevent this.”
Vishing, however, is not as efficient as other attack methods, Giles points out, as “it takes a lot more manpower and hours to accomplish the goal.” In addition, “people aren’t answering their phone as readily—and carriers are doing a better job of [mitigating] spam risk.”
For this reason, Giles sees the greatest vishing-related threats coming from a hybrid model that first uses email or text. “I still think phishing is a bigger threat because they can meet more people quicker,” she explains.
One high-profile example involved the Geek Squad, the tech support arm of retail giant Best Buy. In this case, the scheme used a spoofed email (an email appearing to legitimately come from a trusted source). The email lured recipients into calling a phone number to inquire about their supposedly expired annual protection plan. From there, the voice phishing ensued, and victims unknowingly provided credit card information to live attackers on the other end of the line.
Most scams, whether vishing or a hybrid attack, are designed to convey urgency, and that rushed, hectic experience tricks victims into looking past the criminal’s “sleight of hand,” notes Giles, who covers vishing in her security awareness training. “I try to teach our clients to assume everyone who is contacting you with some sort of alert about something that requires you to act quickly is a scammer,” she says.
Instead of responding to such urgent messages, Giles recommends hanging up and then starting a new conversation with the supposed source. “If it’s a legitimate problem with your bank, for example, then you’re going to be able to deal directly with that bank.”