Blog, FastPassCorp IVM Blog
What is Vishing? | FastPassCorp
What is Vishing?
The latest social engineering scam explained and what you can do about it
This article was originally published by LOGON’s partner FastPassCorp. Click here to view the original article.
What is Vishing?
Vishing or Vishing Attack is a new method of phone-based social engineering. It is when a criminal impersonates a victim to get relevant information such as personal information, bank account, financial information, credit card details, and all other sensitive data resulting to identity theft or data breach. As part of security awareness, we discuss the different types of Vishing. See below.
In just a simple phone call, an attack can happen when it creates an illusion filled with emotions to avoid facts.
The criminal has prepared prior to the call on what situation to create so he or she sounds like the actual victim. Feelings are displayed to exploit by vishing hackers through a vishing scam:
3 different types of Vishing and where it happens:
Vishing victims through commercial channels pretending to be a consumer and tricks a customer support representative through a phone call to give away personal details like a bank account, social security, credit card, and all other financial numbers. Usually, they have a sense of urgency in their voice causing the privileged attendant to give out sensitive information.
Corporate Vishing Scams is where victims are tricked to give away company values like a password for the victim’s accounts or do transactions for the criminal’s interest like transferring money. This often happens in some employees and mostly in top management (CEO scams).
Another situation is where a voice phishing takes place when an important corporate user is being impersonated and calls a privileged user from the service desk to get the password for the target person = victim.
Are VISHING and PHISHING the same?
Vishing and Phishing are two different attack vectors in the social-engineering arsenal.
Enrollment: Most users will be obliged to enroll when logging in to Windows—there’s simply no way to avoid it. Users who do not have a domain PC will be email invited. This process runs automatically until the user enrolls—close to 100 percent. But notice that if you haven’t enrolled, then you can’t call the service desk, at which point you end up asking your tour manager or a trusted colleague!
The FastPass V4 portal can reset passwords for any corporate application—the user simply chooses the type of password they wish to reset.
Enterprises may employ many different types of tokens: Smartcard, Microsoft Authenticator, Duo, mobile phones, RSA devices and so on. FastPass V4 supports all of these and many more, and the user can freely select the one they have in their pocket that day!
Based on years of experience, we have recommendations for customers to help improve users’ chance of answering the questions and still keeping them secure. One of the elements is users’ own questions, where they can generate one to two personal questions.
A new element in FastPass V4 is “Manager Approval” or approval by a trusted colleague. If any of these are available and can verify that the user really is asking for a new password, they can approve—even when everything else has failed, and even if the user has not been enrolled!
In the illustration above, only 7.1 percent of all calls turn to the service desk and 92.9 percent are calls regarding self-service. When the service desk has verified that it’s the true user, then that user user is asked to reset the password him/herself in FastPass, to make sure that they are enrolled correctly and can create a new password according to the company password policy.
Even users on remote PCs will get the local PC password reset automatically as part of the self-service process.
Phishing is like old-times artillery: Cover a large area with grenades (e.g. calls/emails) and hope to hit someone who will respond positively to the call-to-action, such as by giving away account numbers and passwords.
Vishing is like modern-times elite corps: Target a specific high-importance person, make very detailed plans, and execute with no reservations. Vishing is Voice Phishing.
Prevent Vishing Attacks through Identity Verification
Hackers’ tools now include voice changers for phone calls to fake target people’s voices, as well as telephone number spoofing and SMS copying. But hackers won’t succeed even with these techniques if helpdesk workers follow a strict workflow with multiple verification tests.
The FastPass Identity Verification solution controls the entire verification process. Collecting a lot of data automatically and instructs the service desk supporter what questions to ask. Based on algorithms for the different user groups, IVM will decide when the verification is complete. The hackers can’t win by using emotional tricks against the company service desk supporter on the other end!