Vishing: The rising threat to business voice networks

Vishing attacks are increasing as more businesses move to VoIP phone systems. Here's what to look out for and how you can protect your voice infrastructure.

vishing

Following on from our article on VoIP fraud, we’re going to delve a little bit deeper into the specific threats facing business voice infrastructure, beginning with vishing.

 

What is vishing

Most people will be familiar with phishing – in which an individual is contacted by a cybercriminal, usually by email, posing as a legitimate institution to attempt to gain sensitive information, such as banking details or passwords. Vishing is a social engineering technique with the same goals, however the tool used is telephone. Vishing relies on voice and the emotion that it conveys – which can be more effective on its own, or as part of targeted phishing campaign. Click rates for phishing can increase three-fold when vishing was also used by threat actors. Yet, while most organisations train employees to recognise phishing attempts, there tends to be less focus on vishing.

The impact for businesses can be significant. In 2020, when Twitter was the target of vishing, cybercriminals were able to gain access to internal systems and 130 accounts, including those of Barack Obama and Joe Biden.

While the most common vishing technique is to mimic an authority figure, whether that’s a government official or senior colleague at work, the goal is nearly always to obtain sensitive information, although some scammers will attempt to steal money, for instance, by using a fake invoice.

Vishing attacks rose by 550% between 2021 and 2022.

Types of vishing attacks

Vishing is becoming more sophisticated and more difficult to detect. Advances in technology, for example, mean cybercriminals can now use AI to mimic voices of senior employees.

Artificial Intelligence – By detecting patterns without human input, AI can automatically deploy processes and tools with greater chance of success.

Robocalls – Pre-recorded calls, usually sent en masse, using software targeting users and requesting information. Typically, these come from international, or blocked numbers.

VoIP – With the increasing uptake in VoIP services, business VoIP phone systems have become a key target for scammers. Cybercriminals can easily create fake numbers to carry out attacks, using robocalls, or human callers with a convincing pre-prepared script.

Caller ID spoofing – This technique can be difficult to detect as scammers use software to fake legitimate caller IDs, usually impersonating an official source, such as a financial services provider, tax authority or other government agency.

Tech support impersonation – Scam callers pretend to be from tech support and will typically ask for a password or other information for the purpose of a computer update.

69% of companies were subject to vishing attacks in 2021 – up from 54% in 2020.

Is your voice network vulnerable?

While most security professionals are focussed on protecting their organisations from data theft due to hacking, web apps and email, dangers faced by voice traffic can be ignored. But vishing is a growing threat vector that cybercriminals are increasingly using to steal sensitive information or gain network access. There have been numerous incidents of cybercriminals posing as a senior executive to force a junior member of staff to reveal an important piece of information that allows the individual to access files, data or steal intellectual property.

One study found that nearly half of all organisations had experienced a vishing attack in the past year, more than one-third found that their organisations collected no data on unwanted or potentially malicious voice traffic and, worryingly, 9% had no solutions in place to protect voice networks.

The financial sector is the primary vishing attack target.

Preventing vishing attacks

Organisations should start by auditing their vulnerabilities. This can be done by running a voice traffic analysis. This will give insights into calling volumes and patterns. Once complete, voice traffic filters can be set up to block bad traffic coming from known scam numbers. Custom rules can also be set up for specific numbers and geographies. This too can contain a list of blocked numbers.

Most hacks are due to employee error so security teams should set up training programs, so staff can identify scam calls and know how to deal with them. Vishing simulations should be an integral part of cybersecurity awareness campaigns.

New voice captcha technologies are emerging that can help by quarantining suspicious calls before they ring, but for true, all-round voice network protection, businesses must look to solutions that covers all aspects of your voice system including multifactor authentication, hacking, fraud and compliance.

Vishing and voice fraud is on the rise. Protect your business voice systems by talking to a representative at DigitalWell about siprotect – the all-in-one solution that protects your voice networks against all types of threats.