Monday, April 10, 2017

What is Vishing ?



Vishing is the practice of using social engineering over telephone system with the purpose of stealing sensitive financial information or other sensitive personal data from a victim. Vishing is one of the most serious threats today and is widely perpetrated by criminals.


The word “vishing” is a combination of two words “voice” and “phishing”. In this technique, attackers use telephone system to do phishing and hence the name.

Vishing is typically used by criminals to steal sensitive banking information like account number, PIN, password, OTP and credit card numbers or to steal other personal details of users that the attackers can exploit to perpetrate identity theft.

Attackers often use VoIP and automated system like IVR to perpetrate vishing. They may even use techniques like War Dialing and Caller ID Spoofing to serve their purpose.



What is War Dialing ?


Attackers often use war dialing to harvest phone numbers of potential victims. It is a technique to automatically scan a list of telephone numbers in a particular region. Attackers often use a dedicated software to dial all numbers in a local area one by one. As soon as they get a response from any number, they simply note it down, so that they can later use it for vishing.



What is Caller ID Spoofing ?


Attackers often use Caller ID Spoofing to deceive a victim in vishing. They mask the actual caller telephone number and a different deceiving number appears in the receiver of the victim.

Attackers can use a variety of methods and different technologies for that purpose. In the past, Caller ID Spoofing would require an advanced knowledge, but nowadays attackers often use VoIP or PRI lines to do that easily. For example, some VoIP providers give a user the option to configure the displayed number. This has lots of legitimate uses also. For example, a doctor may want to answer a patient from his home, but may not want to reveal his home phone number at the same time. But, attackers often use this technique to hide their identity and impersonate others.


How does Vishing work ?




Attackers may perpetrate vishing as mentioned below.

  • Criminals first harvest phone numbers of potential victims. They may use several techniques for that purpose. They may steal phone numbers from an institution or they may use war dialing to find out valid phone numbers.
  • The criminals then start making calls to potential victims. They usually use Caller ID Spoofing to deceive the victims and hide their identity.
  • In a vishing call, the attackers may trick a user in revealing sensitive financial details. They may say the call is from a bank and there is a problem with the user’s bank account or credit/debit card and the user needs to give his financial details to the caller in order to address the problem. The attackers may also use automated instructions to ask the victim to type in his credit card number, account number or PIN on the keypad. And, in some cases, the attackers ask the victim for his personal details that the attackers can later use to impersonate the victim for fraudulent purposes.


A real life example of Vishing


A widely perpetrated vishing scam is Microsoft tech support scam. In this scam, the attackers typically call a victim posing as a member of Microsoft technical support and inform the victim that his computer is infected with malware which is generating all sort of errors. The attackers can then ask for remote access of the victim’s computer or ask the victim to download some software or fake anti-malware programs to solve the victim’s problem. Some attackers may even deceive a victim to reveal his bank account information to make a payment. In other words, the goal of this vishing scam is to infect the victim’s computer with malware or to steal sensitive financial details from the victims.



How to prevent Vishing ?


Vishing is very difficult for legal authorities to monitor or trace. But, we can always take a couple of steps to protect ourselves up to a significant extent.

  • Never ever provide your financial details over phone. A bank will never ask for your account number, credit card number, password or PIN over phone.
  • If someone is asking for any OTP or One Time Password over phone, be sure it is a scam. OTPs are meant for users only and no legitimate authority will ever ask for any OTP from any user.
  • Do not reveal any personal details or personally identifiable information over phone. If you have any doubts, you can politely inform the caller that you are going to call back and then call the authentic number of the website/provider/institution to verify about the call. It is always better to be safe than sorry.
  • If you get a call informing any of your web account is having some problem, please do not reveal any information immediately. You can always login to your account visiting the legitimate website and verify whether there is any such notification or you can call the legitimate customer care numbers and clarify.
  • Get your number registered on the National Do Not Call Registry to block automated calls. It may not stop vishing, but you would get far fewer automated calls than you are used to.
  • Do not trust the caller ID of a phone call. As said above, attackers can very easily spoof that.
  • If you think you have fallen victim of vishing and your financial information are compromised, immediately call the bank and report the incident. Verify whether there is any unauthorized transaction. Also, immediately change your IPIN, password, ATM PIN or other credentials that may have been compromised.
  • It is always good to report vishing incidents to appropriate legal authority. It often helps a lot in catching the actual criminals.

So, to summarize, never ever reveal any financial information or any personally identifiable information over phone. It is always good to verify the authenticity of a call before responding. Be informed about various security threats and stay safe and stay secure.




Read More

How to prevent Phishing ?

What is Smishing ?

Infographic : How to prevent malware ?

What is Social Engineering ?

How to safeguard oneself from Evil Twin ?

What is Pharming ?


No comments:

Post a Comment