We are now very aware that we are dealing with a flood of more or less well-crafted phishing emails every day, and many companies regularly train their employees to recognize these attacks and respond appropriately. Email is by far the most dangerous attack vector we deal with in the cyber crime world. Spear phishing mails in particular, i.e. mails specifically targeted and aimed at the recipient, pose a major threat.

The things the attacker knows....

But, isn't it sometimes amazing how well these mails are made and what knowledge attackers already have about their target company? Where does he get this information from? Via OSINT (information gathering through open sources)? Certainly. Bought on the darknet? Maybe, too. There are various ways for criminals to get information. But how about just asking for the information you want? That sounds frighteningly simple, and it usually is.

The attack via telephone is unfortunately still a much too underestimated attack vector. With so-called VISHING, which stands for voice phishing, attackers try to trick their victims into making a statement or taking an action that is solely in the attackers' interest.

Vishing, like e-mail phishing, are social engineering methods with which attackers use targeted social stimuli to manipulate their victims into unconsciously taking unauthorized action.

The parameters of successful manipulation by VISHING

The social engineer who uses VISHING has many more ways to manipulate the victim. These go much further than the skillful use of voice, intonation and choice of words. For example, he can use background noises during the phone call to create a certain image in his victim's mind, which seems to legitimize his request or the reason for the call. Possible background noises would be an open-plan office, a call center, a train station or airport, children playing and crying, etc.

Attackers have yet another way to present realistic scenarios. By so-called spoofing, i.e. simulating the caller's phone number, it is possible to impersonate, for example, the police or fire department, a customer or business partner, IT support or a colleague of one's own company.

The targets of a VISHING attack 

Attackers might want to trick their victim into, for example:

  • To give out access data for a web application.
  • To tell which firewall or which antivirus software is currently in use in the company. The version numbers and updates are particularly interesting here.
  • Giving out the name and contact details of IT management, customers and partners.
  • Sending sensitive documents by mail
  • Spreading misinformation within your own company.

Why is so little reported about VISHING?

VISHING is technically not measurable. Unlike an email, which can be identified as a gateway for malware in a forensic investigation after an IT security incident, this is so not possible with a VISHING attack. Another problem is that callers often do not even realize that they have unwittingly become the victim of a social engineering attack.

Protecting against VISHING attacks

There is good news though, there are plenty of ways to protect yourself and your business from VISHING attacks.

  1. Technically, stop phone spoofing if possible.
  2. Train employees in how to deal with the attack vector phone - live trainings.
  3. Conduct online trainings to raise awareness and deepen the topic.
  4. Issue recommendations for action to employees.
  5. Announce reporting channels in the event of a suspected VISHING attack.

How high do you estimate the possibility that you or your employees can be manipulated via the telephone?