Vishing – CompTIA Security+ SY0-401: 3.2

Why would the bad guys hack into your computer when they could just give you a call? In this video, you’ll learn about vishing (voice phishing), and how the bad guys can even fool you into calling them yourself.

<< Previous Video: PhishingNext: Christmas Tree Attack >>

The bad guys will do anything to extract our personal information from us. They’ll get it from us on web pages. They’ll try to use email. And now, of course, they’re trying to use the telephone.

And this process of using the phone or your voice to try to gather personal information is called vishing. Taken after that email term of phishing, but the V in vishing is for voice. This provides a direct connection to you. You can hear a voice on the other end of the phone. It’s a real person, and they’re telling you all about the problems that have occurred on your computer.

They may say they’re calling from Microsoft and they need to remote access into your computer to see if they can solve problems that they happen to be seeing on their side. But of course, this person is not for Microsoft, but they’ve used the telephone as that initial conduit to you, and now they’ll manipulate you to be able to get to your personal information.

Having this voice connection adds a level of trust. When you receive an email or you look at something on a web page there’s no personal connection. But the bad guys know if they can communicate to you with a voice connection that the trust level will certainly go up. And so many more people have a phone than have email or have a web page that they would browse to. There is so much potential for the bad guys to connect to you over a telephone than any other method.

In an interesting turn, the bad guys are having you call them. They may send you an email that says that your very important financial account is locked, or they got your message about the utilities that will be disconnected tomorrow and you can call this number to confirm, or your cable television or your internet connection may be moving today and you need to call if there are any problems with that. So they may leave a phone number for you on that page or in that email, and that may prompt you to call them thinking that you’re calling your financial company, you’re calling your cable company. But in reality, you’re really calling the bad guys.

You could also be fooled by very professional front end. The bad guys may create an IVR, an Interactive Voice Response unit. One of those that when you call says, welcome to First National Bank. Press 1 for a teller. Press 2 for a vice president. Press 3 to contact support.

Those types of interactive voice responses make things sound very professional. And they’re very, very simple to set up. So why wouldn’t the bad guys put that at the very first thing you get to, which, again, adds to your level of trust about who you’ve contacted.

If the bad guys are going to call you, they’re going to also change the caller ID information that pops up on your phone. If the phone rings with an unusual number, but the name says Microsoft then you may be a little more trustworthy of somebody who’s on the other end of the phone that says they are indeed from Microsoft, and they need to remotely connect to your computer. It’s a very trivial thing to be able to manipulate that caller ID information, and the bad guys absolutely take advantage of that.

Of course, why would we want to call someone on the phone or send an email when we can simply send a text message? We’ve become so comfortable at receiving text messages, not only from people we know, but from the organizations that we do business with that it might look absolutely legitimate to receive a text message saying that you are a financial company and you need to reply with certain account information.

So you need to be careful about SMiShing, which is the SMS version of phishing so that you can avoid having your personal information get into the hands of the bad guys.