Client login

Vishing: Theft of Information via Phone Call

by Chris White, Software Engineer

Vishing is a powerful and deceptive method attackers use to steal account credentials and sensitive information.

What is vishing?

Similar to phishing, vishing (voice phishing) instead leverages phone calls to impersonate trusted individuals or institutions and manipulate victims into sharing information like passwords, banking details, or other sensitive information. Attackers rely on psychological manipulation, urgency, and trust to exploit unsuspecting targets.

How it works

  1. The victim receives a phone call from someone who appears to be a legitimate employee of a trusted entity or even your own organization.
  2. The caller claims there’s an urgent issue that needs immediate action.
  3. They ask the victim to provide sensitive information to "resolve the issue."
  4. The attacker then uses that information to steal account credentials and other valuable assets.

Example: A scammer calls an employee, posing as the company’s IT support team. They claim there is a critical issue with the employee’s workstation and request their login credentials to resolve it immediately. The attacker pressures the employee by stating that failure to act could result in system downtime.

Example: A scammer contacts an employee pretending to be a vendor the company frequently works with. They claim there is an issue with an unpaid invoice and ask the employee to verify their company credentials to confirm the account. The attacker uses urgency to pressure the employee into compliance.

Protecting your organization

Be skeptical of unsolicited calls: someone calling unexpectedly is a red flag. Take your time to verify the caller before taking action.

Verify the caller's identity: never provide sensitive information over the phone to an unsolicited caller. Hang up and call back using an official number if something seems off.

Be skeptical of urgent requests: vishing attacks often create a sense of urgency, such as threats of account closure or legal action. Don't let fear drive your decisions; take the time to verify the situation.

Multi-factor authentication: enforce the use of multi-factor authentication. Although many providers offer SMS-based MFA, you should prefer to use an authenticator app to prevent account takeover via SIM swap.

Refuse to share one-time passcodes (OTP): scammers may try to trick you into sharing OTPs. These codes are for your security and should never be shared with anyone over the phone.

Vishing is a sophisticated form of social engineering that can lead to credential theft and employee account takeover. Avoid falling victim by arming your organization with the knowledge and tools required to recognize vishing. Employee training and awareness significantly reduces the risk of successful attacks, transforming employees from potential vulnerabilities into a robust line of defense.

Are you worried about vishing?

We can help bolster your team's security posture with simulated phishing exercises and smart training.

More articles

The Grinch Who Smished Christmas: An Active Campaign Leveraging USPS and the Holiday Spirit

Explore an active (as of the date of this article) smishing campaign targeting the rush of online shopping spurred by the holiday season. Uncover the tactics used by cybercriminals (grinches) to manipulate victims into harmful online scams that stink, stank, stunk.

Read more

Using GPG Keys to Secure Data Confidentiality and Integrity

An introduction to asymmetric cryptography through the exploration of GPG keys and their use in verifying, signing, encrypting, and decrypting data.

Read more

Let us help you with your next project

Contact Details
contact@five9cyber.com(949) 274-9921
5319 University Dr
PMB 2478
Irvine, CA 92612
Follow Us