Table of contents
Editor's note:
You're likely familiar with phishing emails, which target you with spammy links that make you or your organisation vulnerable to fraud and data leaks when clicked.
Now, let's discuss Vishing, the evil twin of phishing.
This is even trickier because scammers can call you or send a voicemail using AI technology to mimic the voice of someone you know, such as a colleague, boss, or loved one.
This "voice cloning" technology is sophisticated and gets better every day. You might recall the music track featuring the voices of Drake and The Weeknd that went viral last year. It was impossible to recognise the voices as artificial until the creator disclosed that neither artist was involved in the creation. AI was used to recreate their voices perfectly.
In this post, we'll explore vishing, its dangers, and how to avoid falling victim to vishing scams.
What is vishing?
Vishing, or voice phishing, is a form of social engineering where attackers use phone calls or voice messages to trick individuals into providing sensitive information, such as passwords, credit card numbers, or personal identification details.
How does vishing work?
Picture this.
It's a workday, and you're at your desk when you receive a voicemail from your boss. They instruct you to urgently wire a large sum of money to a vendor for a last-minute project.
The request is unusual; it’s not the standard operating procedure for paying vendors. But since the instructions are from your boss, you make the transfer.
A few hours later, you see your manager at the coffee corner and ask them to confirm if the vendor received the payment. There's a major problem: your manager has no idea what you're talking about! You've just been scammed through a fake voicemail.
Vishing scams happen everywhere not just at work.
At home, you might receive a phone call or voicemail from a family member claiming to be in a critical situation, like an accident or medical emergency. They provide convincing details and pressure you to send money immediately through a digital wallet app like Venmo or PayPal. Later, you discover the story was fabricated, and you've fallen victim to a scam.
The negative impacts of vishing on businesses
Data breaches
If employees fall victim to vishing attacks and unwittingly provide sensitive information, it can lead to data breaches. This can compromise confidential business information, customer data, or financial records.
Financial loss
Vishing attacks can result in financial loss for businesses. Attackers may use stolen information to make fraudulent transactions, access company accounts, or even initiate unauthorized wire transfers.
Reputation damage
A successful vishing attack can damage a business's reputation. Customers may lose trust in the company's ability to protect their personal information, leading to a loss of credibility and potential loss of business.
Legal consequences
Depending on the nature of the information stolen and the applicable regulations (such as GDPR, CCPA, etc.), businesses may face legal consequences for failing to protect sensitive data or for not reporting data breaches in a timely manner.
Operational disruption
Dealing with the aftermath of a vishing attack can be time-consuming and disruptive to normal business operations. Companies may need to invest resources in investigating the breach, implementing new security measures, and communicating with affected parties.
Loss of intellectual property
Vishing attacks may not only target financial information but also intellectual property and trade secrets. If employees inadvertently disclose confidential company information during a vishing call, it could have long-term consequences for the business's competitiveness.
How to avoid falling for vishing scams
Resist the urge to act immediately
Resist the urge to act impulsively. No matter how convincing a phone call or voicemail may seem, hang up or close the message if something feels off.
Verify the caller's identity directly. Call the person who supposedly contacted you using a phone number you know is theirs. Do not use the number provided by the caller or caller ID.
Ask questions that a scammer wouldn't be able to answer correctly. For a boss, it could be a personal question only they would know, or something related to a recent project you both worked on. This tactic can expose the caller as an impostor.
Don’t send money if you’re ever in doubt
If the caller urgently requests money via a digital wallet app or gift card, it's a major red flag for a scam.
Report fraud immediately. If you wire money to someone and later discover it's a scam, contact the police and provide them with as many details as possible.
Secure your accounts
Implement multi-factor authentication (MFA) for email logins and other account changes. This applies to both work and personal accounts.
Verify changes to vendor, customer, and employee information at work.
At work, train your staff
Train your staff at work. Develop a culture of cybersecurity awareness by training your employees on internet security best practices. Establish a policy to confirm all changes and payment requests through trusted means. Don't rely solely on email or voicemail for important information.
With the increase in remote work, accepting phone calls on personal devices from unknown numbers poses a security risk. Especially, if these numbers would usually be identified by an internal digital phone system.
Effective security awareness training is a significant defence against vishing attacks. This training can educate employees on how to recognize vishing tactics and patterns, emphasising the importance of vigilance and caution when receiving unsolicited calls. Always follow standard operating procedures and don't hesitate to verify information through trusted channels.
Cybercriminals are evolving and getting more advanced every day. Be vigilant and cyberaware.