Watch out, vishing!

Blog Cybersecurity Phishing

No, we didn’t spell it wrong. The blog article is indeed about what is known as “vishing”. Vishing is a special form of phishing. It is composed of voice and phishing. Just like the conventional phishing method, private, sensitive or confidential information is elicited from a person by pretending false facts. In contrast to phishing, however, the person concerned is not contacted by e-mail but by telephone.

In recent months, the number of cyber attacks has grown significantly and cyber criminals are turning to using vishing more and more. The reason for this is that companies and their employees have recognized the danger posed by conventional phishing attacks and thus by e-mails or fake websites, and have integrated important prevention measures and training into their everyday work. The cybercriminals must therefore come up with new methods to elicit sensitive information from their victims.

What is the danger here?

The so-called “vishers” acting extremely clever when they attack their victims. They exploit situations that seem normal and harmless to people. Calls from private or suppressed numbers as well as calls from a call center or a customer hotline are almost a daily occurrence. How often did it happen that you were asked to give your birthday, your address or simply your name in order to verify data? Even if these calls are often harmless, the everyday handling of phone calls of this kind ensures that vishers often have an easy time getting hold of very confidential information.

How do cybercriminals go about it?

Cyber criminals slip into different roles. The Sparkasse is currently warning of vishing incidents. In this case, the fraudsters pretend to be employees of the Sparkasse and ask their victims to announce their card number, telephone number or TANs, which are sent to their mobile phones during the phone call. If you ever get into such a situation, terminate the call and hang up immediately. No reputable bank will ask you for your card or TAN numbers over the phone.

Or imagine the following situation: The phone rings and an IT expert is on the other end of the line telling you that your computer is infected with a virus. It is now very important to react quickly to prevent the virus from shutting down the entire company network. The IT expert wants to carry out remote maintenance with you in order to install the necessary diagnostic software on your computer and thus solve the problem. However, he needs your password for this.

Similar to conventional phishing, the perpetrators play with the emotions of their victims by manipulating the situations in their favor. First, trust is built up. This trust is created by the perpetrator appearing in a role whose authority is often not questioned, e.g. that of a police officer, a bank employee or an IT expert. If the trust that has been established is not sufficient to obtain the desired information, the victims are put under pressure by triggering fear and panic in them. This causes the affected persons to take rash and hasty actions.

What can you do to protect yourself from vishing?

A healthy amount of suspicion is never wrong. Question the caller, no matter how official the place they are calling from. Vishing perpetrators will try anything to lull you into a sense of security and incidentally get confidential information from you. Protect yourself by contacting another person who can confirm the case or concern. Better safe than sorry! As a general rule, never share confidential information such as account details, PINs or passwords over the phone.

What should you do if you have passed on sensitive information?

If you have fallen for a vishing attack, you should act quickly but thoughtfully. Rash action can cause further damage. Inform your IT department immediately about the information you have shared. If you have shared passwords, change them immediately. If you use one of the issued passwords for several programs or applications, change this password for these services as well. It is important that you do not use this compromised password in the future.

If you have questions about passwords, Perseus can help. Read detailed articles about password security and the password manager here.