Basically – the phone is used as an attack vector to get information.
Vishing – attacker calls you and extracts sensitive information you’d otherwise not share
This type of psychological attack takes advantage of trust, manners, and our social nature to want to be helpful.
The Attack
A stranger calls you at work. They will usually assume 1 of 2 personas – friendly, or intimidating.
1 – the caller is friendly and fun, making you feel rude saying no to their request
2 – the caller poses as someone higher up the corporate ladder. They’ll create a sense of urgency and obligation for you to provide them the requested information. So not wanting to disappoint your “boss”, you give it to them.
While the above are just 2 of the many possible personas, they’re the most popular. See chart below for more angles.
The Defence
– your gut. If something feels off, don’t be shy to say “I can’t” or flat out “no”
– be the outgoing call. Say, “I can probably help you with that, let me finish this email and I’ll call you right back… what’s you number?”
– phone number spoofing is easy, as in, caller ID is not reliable
– vishing attacks often happen while you’re very busy and distracted, so your defences are already down
– remember no information is inconsequential. The attacker may be seeking a tiny piece of information that seems small and frivolous, but really, it’s a key piece to a bigger puzzle
– someone recently tried to vish me, read the anatomy of the attack here
This has been Part 1/3 in a series with Michele Fincher of Social Engineer, Inc., a premier consulting and training company which specializes in the art and science of social engineering (SE.)
Meet Michele here.