A type of social engineering attack that is closely related to phishing is vishing. Vishing is the act of phishing over the telephone and has gained popularity recently.
Almost everyone has a cell phone today, which increases an attacker's opportunity of getting private information from someone. The criminals who carry out vishing attacks may use charm and a good personality to sound trustworthy. If the attacker attempting this type of social engineering has poor people skills, it obviously makes it harder for them to have successful attacks because the targeted victims will not be enticed to reveal information on the phone. These attacks often use customer service scams such as a fake credit card representative or pretending to be someone that works for Microsoft or another computer company.
Often when a criminal calling your phone number falsely claims to work for a legitimate company, they will ask for your login credentials to gain access to a service or account of yours under the guise they are just a company representative seeking to verify who you are. There may be a made-up narrative or story to establish credibility and get the victim off-guard before asking for your login credentials. If the targeted victim reveals their login credentials, they will have been successfully vished.
Attackers gaining usernames and passwords will sell them through online black markets and also try those same login credentials on other websites and services to see if the same credentials are being reused across sites. A good lesson no one ever wants to learn the hard way is not to reuse the same password more than once. At Binary Defense we have security experts closely watching the Darknet and online black markets for any indication our customer's login credentials have been compromised.
Criminals calling your phone may try to entice you to upgrade a service you currently have, or one you would like to have. You will be offered amazing deals or a free giveaway or super rewards as incentive to sign up with a credit card over the phone. All the attacker really wants is your credit card information. And they will make up any kind of story to get it. If you fall victim to the scam and reveal your credit card information, you have been successfully vished.
Cybercriminals will happily sell your acquired credit card information or use the card themselves. An attacker may even say they work at your credit card company and not even ask for your credit card numbers, but instead attempt to get personally identifiable information (PII) from you. This information could be your home address, phone number, social security number, and other information that is specific to you. If cyber crooks successfully get your PII, they will use it for fraudulent activates which could dramatically affect you.
There are many ways to carry out vishing attacks, and the ones we described are commonly seen. Anytime you receive a phone call from someone that does not identify themselves to your satisfaction or seem to ask a lot of questions—hang up the phone. Contact the company who claims to be calling you directly yourself using a web search to get the phone number or retrieve a known number you are sure is the correct one. Call the company and ask about the circumstances of a suspicious call you just received. Don't call back the same number that called you because you will only end up talking to the fraudster again.
If ever in doubt, don’t give up any of your information before completely verifying the circumstances and the caller first. Stay protected and communicate through regular expected channels. And never trust unexpected phone calls from unknown people.