E-Learning Channels
Showroom
English
Deutsch

Security Awarenss Library

Successfully fend off cyber gangsters - with the IT security e-learning library of  Deutschen Telekom Security and mybreev

Learn more - - >

Borussia E-Learning Portal

Borussia Mönchengladbach uses the entire Security Island E-Learning Library for the digital training of their employees. 

Learn more- - >

CLIENTS
ARAG
Allianz
ASFINAG
Axel Springer
Barmenia
Borussia Mönchengladbach
BSH
Bürkert Fluid Control Systems
Coca-Cola
Covestro
Daimler
Danone
Deutscher Fußballbund e. V.
DFL Deutsche Fußball Liga
Douglas
ESG Elektroniksysteme- und Logistik
Getty Images Deutschland
Hansgrohe
HELM
Henkel
Hörmann
INTERNATIONAL SOS
KfW Bankengruppe
KPMG
Logwin
MAN
N26
Rohde & Schwarz
Rolls-Royce
Schülke & Mayr
Serviceplan Group
Telekom
Teva
Wanzl
Zalando
Zurich Insurance Company

Social engineering: Vishing a real danger for companies

Social engineering: Vishing a real danger for companies

We are now very aware that we are dealing with a flood of more or less well-crafted phishing emails every day, and many companies regularly train their employees to recognize these attacks and respond appropriately. Email is by far the most dangerous attack vector we deal with in the cyber crime world. Spear phishing mails in particular, i.e. mails specifically targeted and aimed at the recipient, pose a major threat.

The things the attacker knows....

But, isn't it sometimes amazing how well these mails are made and what knowledge attackers already have about their target company? Where does he get this information from? Via OSINT (information gathering through open sources)? Certainly. Bought on the darknet? Maybe, too. There are various ways for criminals to get information. But how about just asking for the information you want? That sounds frighteningly simple, and it usually is.

The attack via telephone is unfortunately still a much too underestimated attack vector. With so-called VISHING, which stands for voice phishing, attackers try to trick their victims into making a statement or taking an action that is solely in the attackers' interest.

Vishing, like e-mail phishing, are social engineering methods with which attackers use targeted social stimuli to manipulate their victims into unconsciously taking unauthorized action.

The parameters of successful manipulation by VISHING

The social engineer who uses VISHING has many more ways to manipulate the victim. These go much further than the skillful use of voice, intonation and choice of words. For example, he can use background noises during the phone call to create a certain image in his victim's mind, which seems to legitimize his request or the reason for the call. Possible background noises would be an open-plan office, a call center, a train station or airport, children playing and crying, etc.

Attackers have yet another way to present realistic scenarios. By so-called spoofing, i.e. simulating the caller's phone number, it is possible to impersonate, for example, the police or fire department, a customer or business partner, IT support or a colleague of one's own company.

The targets of a VISHING attack 

Attackers might want to trick their victim into, for example:

  • To give out access data for a web application.
  • To tell which firewall or which antivirus software is currently in use in the company. The version numbers and updates are particularly interesting here.
  • Giving out the name and contact details of IT management, customers and partners.
  • Sending sensitive documents by mail
  • Spreading misinformation within your own company.

Why is so little reported about VISHING?

VISHING is technically not measurable. Unlike an email, which can be identified as a gateway for malware in a forensic investigation after an IT security incident, this is so not possible with a VISHING attack. Another problem is that callers often do not even realize that they have unwittingly become the victim of a social engineering attack.

Protecting against VISHING attacks

There is good news though, there are plenty of ways to protect yourself and your business from VISHING attacks.

  1. Technically, stop phone spoofing if possible.
  2. Train employees in how to deal with the attack vector phone - live trainings.
  3. Conduct online trainings to raise awareness and deepen the topic.
  4. Issue recommendations for action to employees.
  5. Announce reporting channels in the event of a suspected VISHING attack.

How high do you estimate the possibility that you or your employees can be manipulated via the telephone?

Related Articles