Vishing attacks now five years old says Symantec

According to Paul Wood of Symantec's cloud security operation, the use of voice telephony as a means of engineering a security/fraud attack - known as a vishing attack - shows no sign of abating.

A vish, he says, takes place over the telephone, using call spoofing, and tricks a user into disclosing personal information such as credit card numbers or a three digit security code on the back of the card.

"When Symantec first started to observe the trend, vishing was largely a case of a cybercriminal contacting an end user, posing as a bank, running through a series of security questions - your mum's maiden name, or the name of your first pet - before procuring highly sensitive information that, in tandem with social engineering, could be utilised to compromise an online bank account and steal thousands of pounds", he says in a security posting.

"Since then the trend has become even more sophisticated. Better education from the banking sector has meant consumers are more cautious when it comes to their bank", he adds.

Wood goes on to say that scammers have responded by taking a new tack, specifically contacting victims and pretending to be operators at a support centre for large software vendors.

The fraudster, he explains, tells the target that they are in urgent need of some software or an update, charge them a sum of money and downloads malicious application onto their computer.

Five years on from the first vish, and Wood reports there is tremendous potential for vishing to continue to develop.

"With more people connected to the internet than ever, and a growing uptake in VOIP (voice over IP) [telephony] services by consumers in particular, the opportunity for cybercriminals to prey on inexperienced users is significant", he says.

And, despite much education and publicity around phishing, the Symantec threat analyst says these types of attacks are still very much a multi-billion dollar business.

Vishing, says Wood, is arguably even more tempting for a user, as it preys on people's inherent trust in a voice on the other end of the phone.

"For end users, the best way to guard against falling victim to a vishing attack is similar to any kind of cybercrime. Stay alert, and question the credentials of anyone that, not only requests sensitive information, but also requests access to your personal or business device", he says.

"No trustworthy authentic organisation should approach you in such a personal way, and your default position should always be 'no', unless you have assurances from your IT department", he adds.

"It sounds simple, but the reality is, very few of us are immune to being tricked by a convincing voice."

What’s Hot on Infosecurity Magazine?