Vishing and Organizations
Individuals and their personal finances aren’t the only targets of vishing. Social engineers can use vishing to build relationships with key employees and take advantage of the human tendency to be open and helpful, all in order to steal data, access confidential networks, and run other scams.
Vishing is often just one element in a Business Email Compromise (BEC) attack, according to an article on DarkReading.com. BEC attacks often begin with gathering information through online searches, vishing and phishing. A social engineer can lure unsuspecting employees into giving out seemingly innocuous information, such as details about the organization’s structure or an executive’s travel plans. This information could then be used to impersonate a superior and convince an employee to wire funds to a fraudulent account or divulge access credentials.
These types of vishing attacks could be underreported because people don’t necessarily know when they’ve been vished. It’s not always easy to see the connection between giving out seemingly harmless information and a larger BEC attack.
Tips for Avoiding Vishing Attacks
The simplest advice for staying safe on the phone is, “When in doubt, hang up.” Here are some additional tips to help you avoid vishing attacks:
- Think before you speak. Scammers want you to act — and give out information — before you think things through. The person on the end of the line may sound sincere and trustworthy, but that doesn’t mean they’re legitimate.
- Have your guard up with automated calls. Be particularly skeptical of scare tactics, prizes and special offers.
- Be aware that caller ID can be easily spoofed by scammers.
- Verify phone numbers before calling back. If you’re given a toll-free number to call, look up the correct number yourself, either online or using the back of your credit card, for example.
- Use a different phone to call back. Attackers have ways to keep the line open even if you hang up and try to call your bank’s correct number. You think you’ve reached the bank, but you’re still connected to the scammer.
Subscribe to the Proofpoint Blog