Remember Social Engineering Attacks? The big one is Phishing (cyber-attacks sent in email) that try to get you to click a link or open an attached document. Then there is Smishing where you get a text or instant message that tries to get you worried enough to tap on an embedded link in order to prevent something bad like your bank account being frozen. In both cases, taking action will usually end up with a hacker getting access to your sensitive business or personal information.
But wait! Just when you thought you were safe because you don't click on random email attachments and don't tap on links in worrying text messages, there is yet another social engineering trick that hackers can use to attack you: vishing.
Vishing – Phishing using voice . With vishing, you receive a call on your phone (office, home, or cell) and your Caller ID says it is from a government agency, a bank, or some other familiar number. You may even receive a call from your own number!
The anatomy of a vishing call
The phone number on your Caller ID is fake. It's only purpose is to look familiar enough that you answer the call – and who won't answer a call from the IRS, a bank, or someone you trust?
When you answer, a recorded message says something dramatic like a warrant has been issued for your arrest due to unpaid taxes, or your bank account has been locked for your protection.
Now that you're worried, you are asked to pay money via credit card or provide your bank account PIN or Social Security Number. Sometimes you are given a toll-free number to call where someone will kindly ask you for all your personal information. The key point the attack is to convince you that following the directions, and giving up your information, will make that big problem go away immediately.
Don't do it. You're being vished and are probably about to have your money or your identity stolen if you do what is asked.
You can't trust Caller ID
Vishing attacks work because we tend to trust our phone companies. We assume Caller ID truthfully identifies who is calling. And the problem is that Caller ID can be spoofed.
There is no guarantee the number your Caller ID is showing belongs to whomever is calling you. Just like there is no guarantee that the recorded message claiming to be from the IRS is really from that Government agency.
And no, we're not going to tell you how to do Caller ID spoofing. You can search on the Internet yourself and satisfy your curiosity.
Isn't Caller ID spoofing illegal?
Not in general. There are legitimate reasons for allowing Caller ID spoofing. Remember when you call your doctor late at night for additional advice after an office procedure? Your doctor's phone service takes your number and says the doctor will call you back. When the phone rings, your Caller ID says your doctor is calling you from the office. In reality, your doctor is probably calling you from their home or from their cell. You may not pick up your phone for some random number, but you will pick up when your Caller ID to say the doctor is calling you from the known office number.
So, is vishing illegal?
Yes. If you lost money or have your identity stolen because of a vishing attack, you can seek help from law enforcement. Call and billing records from your phone company may allow law enforcement to trace a call to its true source. But you need to have suffered loss of money or personal information because the tracing often takes one or more subpoenas to get access to the information.
To protect yourself from Vishing:
- Don't always trust Caller ID – Numbers are easy to spoof for illegal purposes. Your phone might say you are getting a call from a known company or number you recognize, but there is no guarantee who's calling.
- Never trust unknown or unexpected callers – Vishing is just phishing by phone. You should be just as wary of unexpected phone calls as you are of unexpected e-mails or SMS asking for personal information or immediate action. Send unknown calls to voicemail. If it's something truly important, the caller will leave a message and contact number you can verify on your own before calling back.
- Ask questions – If a recorded call connects you to a real person who wants your credit card number, banking info, or other personal information, ask them to identify who they are, who they work for. You don't have to give anyone on the phone any information you don't want to.
- Tell them you will call them back – If a suspicious caller tells you who they are working for, simply say you will call them back using the listed number for the company or government agency and end the call. If the caller said they were with your bank or credit card company, call the company using the number on your credit card or bank statement. You may find that no one from your credit card company or bank was trying to contact you and there is no urgent problem with your account.
These four guidelines will help mitigate your risks against vishing attacks.
Want to know more information on how to better protect your business against vishing and other malicious social engineering attacks?