As we have previously discussed, a vishing attack is usually one of the most successful types of social engineering both in the wild and during engagements. Due to the nature of a vishing attack, many employees fall victim to simple variations because they are conducted over the phone and they aren’t as familiar with the red flags as they might be for a phishing email. Today, we will discuss a few tips and tricks to help educate your employees on how to spot a vishing attack and how to avoid falling victim.
- Something smells phishy – Encourage employees to look for the signs of a possible vishing attack with the following tips:
- You should always be suspicious of a random call asking you to do something such as click a link, open an email attachment, divulge sensitive information, etc. If your IT team is truly rolling out some new piece of software or needs some information from you, it should be communicated in a coordinated fashion or verified by someone you know or trust (preferably in person).
- Beware of “name drops.” It takes an attacker all of 30 seconds to see who the manager of your IT team is via LinkedIn. Just because someone drops John Smith’s name who is the Director of IT, it does not mean that they should be trusted.
- Consider personal/social cues. This may not always be a good indicator, but if someone sounds nervous, unnecessarily pushy, or has an unusual sense of urgency it should be a red flag for you to look more closely at what you’re being asked to do.
- Identify any odd requests for information or suggested actions that you wouldn’t normally perform, like clicking a link, opening a file, disabling security controls, or entering your credentials – any of these could be attempted attacks and employees should immediately report these kinds of requests to the proper team within your organization.
- Do not trust the phone number – Phone numbers can easily be spoofed using services such as SpoofCard and should not be used as a method of checking the validity of a caller. A reasonable alternative would be to call someone claiming to be an internal employee back using a corporate directory to help validate their identity.
- Remember that websites can easily be cloned to look almost identical to a legitimate site within just a few minutes. Educate employees on how to spot imposter sites and where they should report these incidents. Validating HTTPS certificates, checking domain names, and not entering their credentials in new websites are good places to start with training.
- Ask questions – Empower and encourage your employees to ask questions if someone calls them up out of the blue. They should feel comfortable reporting strange occurrences to someone internally and should be equipped with methods to validate a caller’s identity, using either an internal corporate directory to initiate a callback or some kind of identifying question that they can validate (e.g. what is your employee number?).
- Be vigilant – Always encourage your employees to be vigilant and to help them play it safe. They should never feel pressured or embarrassed to question anyone on the phone and need to be empowered to do so. Every employee has the right to say “I do not feel comfortable completing that task. If you would like to swing by my desk, I would be happy to assist.”
Unfortunately, you can have all of the right security controls in place to prevent an external attack but a single phone call to an unsuspecting employee can potentially allow an attacker into your network, bypassing everything. Regularly training your employees via security awareness training and empowering them to question suspicious activity and report it will help improve the odds that your employees can spot a vishing attack and will not fall victim. If you would like to discuss the benefits of a social engineering assessment or third-party security awareness training, reach out to us today!