Basically – the phone is used as an attack vector to get information.
Vishing – attacker calls you and extracts sensitive information you’d otherwise not share
This type of psychological attack takes advantage of trust, manners, and our social nature to want to be helpful.
A stranger calls you at work. They will usually assume 1 of 2 personas – friendly, or intimidating.
1 – the caller is friendly and fun, making you feel rude saying no to their request
2 – the caller poses as someone higher up the corporate ladder. They’ll create a sense of urgency and obligation for you to provide them the requested information. So not wanting to disappoint your “boss”, you give it to them.
While the above are just 2 of the many possible personas, they’re the most popular. See chart below for more angles.
– your gut. If something feels off, don’t be shy to say “I can’t” or flat out “no”
– be the outgoing call. Say, “I can probably help you with that, let me finish this email and I’ll call you right back… what’s you number?”
– phone number spoofing is easy, as in, caller ID is not reliable
– vishing attacks often happen while you’re very busy and distracted, so your defences are already down
– remember no information is inconsequential. The attacker may be seeking a tiny piece of information that seems small and frivolous, but really, it’s a key piece to a bigger puzzle
– someone recently tried to vish me, read the anatomy of the attack here
This has been Part 1/3 in a series with Michele Fincher of Social Engineer, Inc., a premier consulting and training company which specializes in the art and science of social engineering (SE.)
Meet Michele here.