PiChris - Fotolia

How can vishing attacks be prevented?

Enterprise threats expert Nick Lewis explains what vishing attacks are and offers best practices for defending against them.

Can you please explain what vishing is? What are the best ways to defend against vishing attacks?

Vishing is a form of voice over internet protocol (VoIP) phishing attack where a caller uses social engineering via a phone call or SMS message to convince a victim to provide the victim's credit card information. Due to the recent high-profile credit card breaches that have affected large parts of the U.S., vishing attacks are only going to become more common with attackers using the breach as the reason why the victim should dole out sensitive information.

While phone-based social engineering and fraud go back to the invention of the telephone, credit card fraud via phone dates back to at least 1985, if not earlier. Newer phone phishing attacks use SMS messages and interactive voice response systems, but are still just compromising individuals on a one-by-one basis. While these new attacks do increase the rate of compromise for individuals, they pale in comparison to malware attacks against Home Depot and other retailers. However, individual vishing attacks might be easier for less technologically sophisticated criminals to perform.

The first step -- but not the only step -- to defending against vishing is to help people understand that they need to verify that anyone requesting sensitive information is in fact legitimate. If someone believes they are being vish attacked, he or she should request to call back the original caller (or call center) using the phone number from a credit card statement or on the back of their card. If an individual receives call via Skype, VoIP or text, he or she should immediately call the financial institution in question at a legitimate phone number to report the call and verify no suspicious activity occurred on their accounts. People should never call back the number the questionable caller provided as this phone number may not be legitimate. Cardholders that believe they are being vished may also verify data only the credit card company would know, such as the last transaction or the balance on the account.

As with all phishing attacks, user awareness is the most important prevention tactic available. If employees are aware of what vishing attacks are, how they work and how to spot such attacks, they will be the best defense against them.

Ask the Expert!
Have a question about enterprise threats? Send it via email today! (All questions are anonymous.)

Next Steps

Gain further insight into the role of VoIP in phishing attacks.

Phishing, smishing, vishing -- learn all about social engineering attacks.

This was last published in November 2014

Dig Deeper on Application and platform security