Vishing: The rising threat to business voice networks

Following on from our article on VoIP fraud, we’re going to delve a little bit deeper into the specific threats facing business voice infrastructure, beginning with vishing.

Most people will be familiar with phishing – in which an individual is contacted by a cybercriminal, usually by email, posing as a legitimate institution to attempt to gain sensitive information, such as banking details or passwords. Vishing is a social engineering technique with the same goals, however the tool used is telephone. Vishing relies on voice and the emotion that it conveys – which can be more effective on its own, or as part of targeted phishing campaign. Click rates for phishing can increase three-fold when vishing was also used by threat actors. Yet, while most organisations train employees to recognise phishing attempts, there tends to be less focus on vishing.

The impact for businesses can be significant. In 2020, when Twitter was the target of vishing, cybercriminals were able to gain access to internal systems and 130 accounts, including those of Barack Obama and Joe Biden.

While the most common vishing technique is to mimic an authority figure, whether that’s a government official or senior colleague at work, the goal is nearly always to obtain sensitive information, although some scammers will attempt to steal money, for instance, by using a fake invoice.

Vishing is becoming more sophisticated and more difficult to detect. Advances in technology, for example, mean cybercriminals can now use AI to mimic voices of senior employees.

Artificial Intelligence – By detecting patterns without human input, AI can automatically deploy processes and tools with greater chance of success.

Robocalls – Pre-recorded calls, usually sent en masse, using software targeting users and requesting information. Typically, these come from international, or blocked numbers.

VoIP – With the increasing uptake in VoIP services, business VoIP phone systems have become a key target for scammers. Cybercriminals can easily create fake numbers to carry out attacks, using robocalls, or human callers with a convincing pre-prepared script.

Caller ID spoofing – This technique can be difficult to detect as scammers use software to fake legitimate caller IDs, usually impersonating an official source, such as a financial services provider, tax authority or other government agency.

Tech support impersonation – Scam callers pretend to be from tech support and will typically ask for a password or other information for the purpose of a computer update.

While most security professionals are focussed on protecting their organisations from data theft due to hacking, web apps and email, dangers faced by voice traffic can be ignored. But vishing is a growing threat vector that cybercriminals are increasingly using to steal sensitive information or gain network access. There have been numerous incidents of cybercriminals posing as a senior executive to force a junior member of staff to reveal an important piece of information that allows the individual to access files, data or steal intellectual property.

One study found that nearly half of all organisations had experienced a vishing attack in the past year, more than one-third found that their organisations collected no data on unwanted or potentially malicious voice traffic and, worryingly, 9% had no solutions in place to protect voice networks.