How To Protect Your Business From Vishing Attacks
In 2023 UK businesses lost on average £4,960 per cyber attack, but despite this, businesses are reporting that cyber security is becoming less of a priority for them.
Vishing, also referred to as voice phishing, voice impersonation scams, and phone scams, along with other types of social engineering scams, are nevertheless becoming more frequent, and more costly to businesses around the world.
Although ransomware and phishing attacks occur more often, understanding vishing attacks and knowing how to spot them is still a valuable skill and can protect your business regardless.
What Are Vishing Attacks?
Vishing attacks are a form of social engineering scam that uses phones and telephone conversations, sometimes backed up with fraudulent emails or websites, to manipulate victims into divulging sensitive information or making payments.
Threat actors will sometimes use information gained from social media profiles or previous cyber attacks, to appear knowledgeable and credible to the victim. They will usually pose as a well-known brand, bank, or government entity such as British Gas, NatWest or HMRC, often knowing in advance that it’s the victim’s bank or that they are already a customer of that supplier. It’s possible for these cyber criminals to create fake caller ID’s so it looks like a legitimate number calling.
Businesses are targeted by phone scams because of the potential that the company accounts have large sums of money in them at one time.
Different Vishing and Voice Impersonation Scams
There are different types of vishing scams that can all have a negative impact on people and businesses.
Claiming to be from the bank
Bank scams usually involve a scammer impersonating the company bank and asking for company finances to be transferred into a different “safe” bank account or asking to check the sort code and account numbers of business accounts.
Offering compensation
Compensation scammers will call to offer their services, perhaps trying to take payments for deposits or to “release” funds they say the victim is entitled to.
Impersonating authorities
Vishing scammers may also impersonate government bodies like HMRC, Department for Business & Trade, or Department for Work & Pensions and insist that fines or overdue payments must be made.
Suppliers demanding payments
Employees can also fall victim to threat actors pretending to be the suppliers to a business, such as energy, broadband, recruitment, the list goes on. Worried they have missed a payment, victims will pay the overdue bill immediately, not checking if the claim is true.
IT services offering help
Another kind of vishing attack is when a scammer calls an employee masquerading as a colleague from IT or an external IT support service and offer to guide the victim through “fixing” an issue. Whether they direct them to a fake website or send them an email, it will inevitably lead to the victim downloading malware or ransomware.
How To Spot A Vishing Attack At Work
Although vishing scams can be very convincing, there are a few red flags that when you know about them, make it easier to spot a phone call with malicious intent.
Sense of urgency – when the threat actors call, they try to make victims panic and worry, often saying there will be consequences for late payments or insisting a deadline has been missed and trying to make them hurry.
They called you – the act of calling is, in itself, a red flag. Banks, suppliers, the government; they rarely call customers anymore, precisely because of phone scams. Unless it’s a pre-arranged call that has been deliberately set up, it’s unlikely a victim will be expecting a call.
Asking for your details – if a phone scammer is calling you to get information it’s because they don’t have it, so asking for victims to confirm or give details that the real supplier has, should ring alarm bells.
Telling you not to tell anyone – being told not to bother checking with the company finance or IT department is a massive red flag.
Offering help for free – it isn’t often that we get much for free, especially when it comes to business. Getting a phone call from an IT provider who says they know something is wrong with a device and directing a victim to download free software to fix it is suspicious.
How To Deal With A Workplace Vishing Call
There are steps businesses can take to reduce the likelihood of receiving vishing calls, as well as reduce the risk from answering them.
- Instruct your phone service provider to set up anonymous call blocking and caller display,
- Leave calls to go to voicemail if you don’t recognise the number,
- Hang up immediately if the call is suspicious – don’t worry about hurting their feelings,
- If you’re unsure whether it’s a vishing call, ask them for their details to call them back, they are unlikely to give you any. If they do, check them against a legitimate source.
- Report the attempt to your phone service provider so they can block the number,
- Train employees on how to spot vishing calls and what to do.
Becoming a victim of a vishing scam can have severe reputational, financial, and emotional consequences. It is paramount to understand the risks and implement preventative measures as part of a robust cybersecurity strategy, contact our team of experts at Fuse to get started.