Taking responsibility for protection from threats, cyber security is raising awareness campaigns about Vishing attacks. The attacks are seen very often but have yet to take much notice.
If you don’t know about it, you will learn it soon. Just mark the dates April 10-14,2023.
Understanding vishing attacks
Vishing is a social engineering scam where fraudsters use phone calls or VoIP (Voice over Internet Protocol) to trick people into revealing sensitive information or performing certain actions, such as making a payment or giving access to their computer.
The word “vishing” is a combination of “voice” and “phishing,” which is another type of scam that is typically carried out via email.
How does vishing work?
Vishing scams
- Often involving the use of automated phone calls or
- Robocalls are designed to sound like they come from a trusted source, such as a bank or government agency.
- The caller may ask the recipient to provide personal information, such as their Social Security number or bank account information,
- Or they may ask the recipient to act, such as installing software on their computer.
- Vishing scams can be difficult to detect, as fraudsters often use sophisticated techniques to make their calls appear legitimate.
Vishing attack: Some real-life cases to keep you aware
On March 17, 2023, Checkpoint discovered a fake call malware in South Korea. The same malware was detected a year before with common tactics.
“We discovered more than 2500 samples of the FakeCalls malware that used a variety of combinations of mimicked financial organizations and implemented anti-analysis techniques,” reads CheckPoint’s report.
The initial stage of the attack involves infecting the victim’s device with malware, which may occur via:
- Phishing,
- Malvertising, or
- Black SEO techniques.
The FakeCalls malware was spread through:
- Counterfeit banking applications mimic well-known financial institutions in Korea, leading the victims to believe they are using a legitimate application from a trustworthy source.
- The assault commences when the application presents the target with an offer of a loan at a reduced interest rate.
- The malware can hide the calling number, which belongs to the attackers, and instead display the exact number of the bank being impersonated, creating the illusion of a genuine conversation.
Eventually, the victim is deceived into verifying their credit card information, ostensibly to receive the loan, which the attackers then steal.
Hybrid Vishing attacks have increased by 554% in volume, according to PhishLabs’ Quarterly Threat Trends & Intelligence Report.
- Credential Theft continues to be the dominant email threat targeting enterprises, contributing to nearly 52%
- An additional 18% of all Credential Theft attacks were classified as Docuphish.
- The hybrid threats contributed to more than 27% of all Response-Based threats, signaling a shift from traditional Vishing tactics.
- Qbot was the top reported payload, representing 59.3% of all malware-related vishing attacks.
“Throughout 2021, PhishLabs has detected and mitigated hundreds of thousands of phishing, social media, email, and dark web threats targeting a broad range of enterprises and brands.”
How to prevent vishing: Just a few simple things to do
- If the phone number is unfamiliar, it’s best to ignore the call. Instead, allow the call to go to voicemail and listen to the message later to determine if it’s necessary to call back.
- If there’s any suspicion of a vishing scam during the call, hang up immediately and block the number.
- Avoid pressing any keys or responding to instructions from an automated message.
- Before returning a call to an unknown number, verify the caller’s identity.
- Pay close attention to the caller’s language and note if they’re using social engineering tactics that prey on fear, urgency, or “once-in-a-lifetime opportunity” language.
- Enroll in the Do Not Call Registry. Most legitimate telemarketing firms avoid contacting numbers on this list, making it more probable that any call received is a vishing attempt.
- Never provide your phone number in emails or messages that request it. Notify your IT support team of any suspicious emails.
Concluding thoughts: Understanding the telephone as a threat vector
Let’s recognize the damage a single phone call can do. The threat actor has affected organizations and the general public; the awareness campaign aims to keep you secure by creating awareness.
“Vishing attacks can have significant negative consequences for a business, from financial and data losses to reputational damage, and we’ve found that far too many enterprises aren’t protecting themselves from vishing or telephone-oriented attacks,” said Chuck French, Chief Growth Officer at Mutare.
“As part of Vishing Awareness Week, Mutare and our partners want to arm the business community with the knowledge and resources to protect and defend their organizations from all forms of voice-centric threats.”
Let’s not wait and keep ourselves updated: https://www.mutare.com/vishing-awareness-week-seminar-2023/
Marrium Akhtar
April 13, 2023
1 year ago
