You’ve just been alerted to fraudulent phone calls or text messages claiming to be from your company that try to get your customers to provide their account information. What do you do? How do you respond? How do you stop them?
To answer these questions, it’s helpful to understand what a vishing or SMiShing attack entails. Sometimes referred to as phone phishing or VoIP phishing, vishing exploits the trust your customers have in your telephone communications to steal information that can be used to take over personal or business accounts.
- An attacker compromises a couple of Windows systems. On one machine, he installs spamming software. IVR (Interactive Voice Response) software is installed on the other.
- Next, he compromises a VoIP system or stands up one of his own on a server he has compromised or purchased.
- Using the spamming software, he spams email to text message gateways. Those gateways send the texts to the targeted customers.
- Those customers receive a message along the lines of “Call 123-456-7890 about a recent transaction.”
- They call the number and the VoIP server passes them to the IVR system, which poses as their bank and prompts for account credentials.
- When entered, the credentials are collected by the IVR system and either saved or emailed to the attacker.
That’s one largely automated method of vishing and SMiShing, but attackers may also incorporate live call responses to increase their odds of success.
So what should you do when a vishing attack is reported?
The first step is to get as much information as possible about the call or text message. When the suspicious message is reported, employees should ask the customer for the following details at a minimum:
- The phone number the call came from.
- The phone number that received the call.
- The information requested.
- Any callback number mentioned
The next step is to confirm that it really is malicious. Sometimes suspicious calls are reported as phone phishing attacks that actually aren’t. Debt collection calls, late payment notifications, etc. can sometimes be mistaken for vishing attacks. Your company may be using a third-party to conduct a call campaign that just wasn’t well-communicated to the security team.
The best way to confirm the vishing attack is to call the number and see for yourself what information is being requested. If prompted for personal info, ask for the name of the company conducting the call (not who the call is being conducted for) and inquire for contact info to their fraud department.
Legit call campaigns will typically be able to answer these questions correctly without much hesitation. Of course, scammers could be prepared for this and respond correctly as well. But even so, it gives you additional information you can investigate to either confirm the attack or tie the call to a legitimate organization.
If something about the interaction just doesn’t seem kosher, remember that social engineering can work both ways. Call them from a different number and pose as an actual customer. Ask them some questions about what has happened to your account. Give them fake info about your account and ask them to look it up in their system to make sure there isn’t a problem with your account. If they accept the info and say “ok, your account looks fine,” you’ve got your answer.
Once a vishing attack is confirmed, you need to shut down the number it’s coming from. So stay tuned for Part 2…