Voice-Phishing

Vishing—or voice-phishing—is a scam that uses a standard voice phone call as part of the ruse. Like many other phishing scams, the goal of vishing is to get the victim to give over some sort of information. The information might be as immediately useful as a multifactor authorization (MFA) code or as subtle as the name of your organization’s software provider. (The MFA code can be used by a criminal with your login credentials to bypass MFA. The contact information could point to system vulnerabilities.)

How Might Vishing Look?

• A text claiming there are issues with your taxes, and that you should call a certain number to remedy them. (Keep in mind that the IRS uses mail for official communications.)
• A caller claiming to be a government representative collecting a fine. Just provide your credit card details and you will be in the clear!
• An IT helpdesk you do not know instructing you to visit a fake login page for their VPN and sign in.  (See this FBI Private Industry Notification for more on this big scam of early 2021.)

5 Ways to Avoid Getting Vished

1. Ignore Calls. If you do not recognize the number, let the call go to voicemail. Legitimate businesses market with cold calls. But use extra caution with a cold call that includes a limited-time special offer. Especially if it comes with a request for personal identifiable information (PII).
2. Block Numbers. Never respond to spam texts from unknown sources—not even with STOP. Any sort of response confirms that your phone number is legitimate and invites further targeting. Simply block the source of the text and move on.
3. Search Online. Look up phone numbers an email or text directs you to call. They should come back to the organization you expect every time.
4. Go with Your Gut. If a call or text seems off, tell them you do not feel comfortable and take a step back. A legitimate caller will allow you to call back. They will not threaten you in any way.
5. Keep Private. Never share passwords, MFA credentials, or account recovery codes by text or over the phone.

3 Ways to Combat Vishing

1. Multifactor Authentication. Enable multifactor authentication wherever possible. This additional layer means a slip or hack of your username and password is not enough to grant access to important accounts.
2. Restrict Permissions. Limit each user’s access to only files pertinent to their function. This way if one user’s account gets compromised, criminals will only have access to the information applicable to their function within your organization. (Further, administrator accounts should not be tied to an email address.)
3. Be Proactive. Routinely scan and monitor for unauthorized network access and modifications to minimize the impact of a compromise.