Sample Vishing Attacks
Do you know that vishing attacks use the phone system to trick users into giving up personal and financial information? You should if you plan to take the Security+ exam. This post should help.
Vishing attacks often uses Voice over IP (VoIP) technology and tries to trick the user similar to other phishing attacks. When the attack uses VoIP, it can spoof caller ID, making it appear as though the call came from a real company.
Attacks from Email and Phone Message
In one form, a machine leaves a phone message saying that you need to return the call concerning one of your credit cards. In another form, you receive an email with the same information. If you call, you’ll hear an automated recording giving some vague excuse about a policy and prompting you to verify your identity. One by one, the recording prompts you for more information, such as your name, birthday, Social Security number, credit card number, expiration date, and so on. Sometimes, the recording asks for usernames and passwords. If you give all the requested information, the recording indicates they have verified your account. In reality, you just gave up valuable information on yourself.
Vishing Attacks from a Phone Call
Another example of vishing is a just a regular phone call from a criminal. A popular ploy is a call from a company claiming to be “Credit Services” and offering to give you lower credit card rates. They play around with caller ID and have it display anything they want. A common ploy is to display a number similar to yours, but with the last digit different, making them appear local. They often announce, “This is your second and final notice,” trying to evoke a sense of urgency.
If you answer, the automated system forwards you to a live person who begins asking a series of “qualifying” questions, such as how much credit card debt you have and what your interest rates are. They then promise that they can help you lower your debt and get you a better rate. Next, they start asking some personal questions. They might ask for the last four digits of your Social Security number so they can “verify your account is in good standing.” They might ask you for the code on your credit card “to verify you still have it.”
Eventually, they hope to get your credit card number, expiration date, and code so that they can use it to post fraudulent charges. Some people have reported similar callers trying to get their bank information so that they can transfer money out of the accounts.
They hang up right away if you ask them to take you off their list, or stop calling. Similarly, they hang up when they hear words such as criminal and thief. Some even reply with insults. They’ve called me so often, I’ve played along a few times. I love it when they ask for information on my credit card. I respond by saying, “Can you hold on so I can get it?” I then put the phone in a drawer and go back to work. Once, they stayed on the line for more than three hours waiting for me.
Vishing is a form of phishing that uses the phone system or VoIP. Some vishing attempts are fully automated. Others start automated but an attacker takes over at some point during the call.
You might also like to view this blog: Identify Social Engineering Attacks