We Continue our Security Awareness Training by addressing some of the most common challenges for organizations who are now having to protect users, data, and clients while workers connect remotely or at the office to corporate systems.
Our focus will be to help you better understand what Vishing is, what it can do, and how to prevent a malicious Vishing event at the office or remote, let’s get started!
What is “Vishing”?
Vishing is a type of social engineering attack used to gather information of many kinds. A Vishing attack is done over the phone, so remember when we discuss Vishing to use the “V” to recognize this type is for “Voice” related attacks.
An attack is built to resemble a reputable person or company. The callers number, location, ID etc. are all designed to look the way they want you to see it and the conversation or voicemail left is designed to gather any kind of information that lends itself to an end result of impersonation. When done correctly the Vishing caller can gather financial information, SSN#s, DOB, Addresses, or bank and credit card information. This type of attack has become very popular and sometimes difficult to identify, however with a few bits of information we will help you reduce the risks associated.
How can I reduce the risk of falling victim to a Vishing attack?
The Key is to never share personal information (yours or the companies) directly over the phone or when responding to a voicemail unless the source has been confirmed safe.
What the heck does that mean?
Sharing any information that includes details about financials like banking or credit card numbers, or requests for personal information like passwords, social security numbers, Addresses, Date of Birth, etc. are a recipe for disaster!
Banks should not ask you for your personal pin, or passwords, instead they will have a security check (what is the place of birth etc.) that you would have setup directly.
If this call is coming for someone inside the company and you are a not in the department that would handle this, for example not being in accounting but urgently being asked to provide financial information, then you should have a flag raised! We all are eager to help, however giving names of people they should be contacting is discouraged, that’s all part of the job description for these criminals. If this occurs simply ask for a callback number and a name to follow back up with and take it to the appropriate security resource like your Managed Services Provider, CFO etc. to confirm its validity.
Cellphone users of all types should also consider registering your number with the donotcall.gov registry. This will keep your cell phone number off most national Do Not Call lists, and one of the ways this helps you is most legitimate telemarketers will not break these rules and follow the Do Not Call registry laws. What this means to you is the suspicious calls won’t likely be from them.
However, If this happens repeatedly with the same number you can file a complaint with them on the company website, and if you think you have been contacted by a “visher”, its recommended to visit ftc.gov and report them.
We hope this has been helpful, please continue to look for our follow up in the Security awareness series with more Recognizing a Cybersecurity threat scenarios, and more!
PCS Managed Services strives to provide a Stable, Secure, and Productive environment for its clients, and is here to help you! For more information, please call us or email us at sales@pcs-ms.com for more information on how we can help better protect your team.