How to Defend Against Voice Phishing

Listen to this blog post below

emailsecurity · How To Defend Against Voice Phishing

Vishing, or voice phishing, can appear in various garbs, and strict adherence to cybersecurity best practices is required for its prevention.

If you think phone scams have become a thing of the past, think again. Malicious actors are carrying out Vishing (voice phishing) campaigns through phone calls, and they can cause as much damage as other social engineering attacks. Besides looking into what voicing phishing is and its examples, this article also shares tips for voice phishing protection.

What Is a Vishing Attack?

Vishing, or voice phishing, is a cybercrime in which threat actors use mobile phones to steal personal information. In a vishing attack, adversaries use social engineering tactics to persuade users to provide confidential and sensitive information, which they can use for financial fraud.

The Persistent Threat of Vishing Attacks

While some might believe that phone scams are a thing of the past, vishing (voice phishing) campaigns prove otherwise. These malicious activities conducted through phone calls have resurfaced with a vengeance, posing significant risks similar to other social engineering attacks.

Vishing Attack Examples

According to a report, over 14 million Americans are impacted by identity theft incidents annually, costing customers over $1.7 billion. Most American fraud incidents involve telephone-based communication. Some examples are:

Banking Scams: Vishing actors attempt to steal a consumer’s financial information, like bank account details and credit card numbers. They use an ID that looks genuine to impersonate a legitimate entity and trick their victims (ID spoofing). For example, the scammer poses as the CFO of an organization and persuades the employee to transfer funds to his account.
Unsolicited Loan and Investment Offers: Malicious actors will call the victims promising unrealistic deals like get-rich-quick schemes or quick fixes for paying off debts. Victims are asked to respond quickly by paying a fee.
Social Security and Medical Care Scams: Threat actors choose vishing to target elderly citizens. They pose as Social Security or Medicare Administration’s representatives. They will steal personal information like Social Security or Medicare numbers and use it to commit financial fraud.
Tax Scams: Scammers will send a pre-recorded message posing as an IRS Officer and inform the target regarding an issue with their tax returns. They spoof the caller ID, and the call appears to be from the IRS!

Image sourced from spiceworks.com

Targeting Vulnerable Demographics

Elderly citizens often bear the brunt of vishing attacks, wherein scammers masquerade as representatives of Social Security or Medicare administrations. By coercing victims to reveal personal information, including Social Security or Medicare numbers, attackers orchestrate financial fraud.

Tips to Avoid Vishing Attacks

The best voice phishing prevention method is to ignore such phone calls. Telecoms deploy fraud detection systems that display “Fraud Risk” on caller ID if a user receives a known malicious call. However, you must rely on more than telecoms to prevent vishing. It would help if you also observed the following precautions:

Keep information Discreet: Don’t share your private information like your driver’s license and passport information or login credentials over the phone. It will keep your identity and accounts safer.
Join The National ‘Do Not Call’ Registry: The ‘Do Not Call’ registry is a free service that will remove your mobile number from the malicious phone call lists.
Verify Unknown Numbers: Many applications allow you to verify unknown numbers calling you.
Confirm with the ‘Calling Organization’: If your bank appears to be calling you, but you need clarification, call the bank and see if they tried to contact you. While it may cost you some time, being cautious will help protect your confidential and sensitive information.
Identify scare and pressure tactics: Malicious actors will pressure you into sending money immediately through bank transfers, credit cards, or gift cards. For example, to convince users to fall for the IRS scam, attackers threaten them with jail time if they do not send money immediately.
Be skeptical: You must remain suspicious about any caller requesting confidential and sensitive information. It is advised to keep information private from the caller, regardless of where they claim to work.

Final Words

The best business tactic for organizations for voice phishing protection is to observe good cybersecurity practices. The initial step could involve providing new employees with security awareness training, ensuring they understand the risks posed by vishing attacks to a business. This training would also include phishing awareness training to further enhance their preparedness.

Organizations must ensure their employees never allow access to anyone to guarded information systems except verified technicians.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.