Just a couple of years ago, vishing, or voice phishing, was an unknown term. However, vishing is getting more attention since it’s been on the rise in the past couple of years. The Federal Trade Commission states that last year there was over 1.2 billion US Dollars lost to vishing attacks. With a 554% increase in these attacks, it’s not slowing down anytime soon.
During a vishing call a malicious actor often impersonates a well-known company. Other times, they will call company employees posing as a colleague that needs help or needs to verify information. This was the case with the recent MGM cyber-attack, during which the hackers reportedly gained access to MGM’s internal systems by calling the company’s help desk and asking for a password reset. They impersonated a legitimate IT worker and were able to answer questions based on what they had previously found through OSINT. It’s easy to think: “I would never fall for that.” The truth is, even if we’re aware of these scam calls, we can still fall for them. So, what makes vishing such a powerful vector?
The Pretext
Before making a vishing call, a credible pretext must be in place. The Cambridge Dictionary defines the word pretext as: “a pretended reason for doing something that is used to hide the real reason.” Basically, it’s a made-up story to justify the call. In order for a pretext to be effective, it must be simple yet believable. The pretext may include details that make the person on the receiving end believe that the call is legitimate. Some of these details include employee names, usernames, and/or internal jargon specific to the company. Most of this information is gathered through OSINT.
OSINT
OSINT, or Open-Source Intelligence, is used to gather the ingredients to make a realistic pretext. Information such as a person’s job title, employment date, birth date, place of birth, favorite sports team, etc., can often be gathered from social media and other free sources online. OSINT can also be done via phone calls. These OSINT calls can be used to gather internal information about a company, such as their internal processes, which system they use to communicate internally, and even usernames and passwords. Once an attacker has the personal details of the person they will impersonate, they can flesh out the pretext and give it life by using principles of influence.
Principles of Influence
Principles of influence can exert much power. By using influence, the attacker can elicit emotions from their targets. This is what ignites the pretext. By getting people to have an emotional reaction, a malicious attacker will get their target to momentarily suspend critical thinking; this can lead a person to take an action they normally would not. Some of these principles of influence include authority, reciprocity, social proof, scarcity, and sympathy. Use of these principles can elicit emotions such as fear, curiosity, greed, and an overall a feeling of compliance.
Trust
As humans, we’re wired to want to trust others. As long as all the pieces fit in a story, most of us have no reason to question a person’s motives. Ultimately, this is the reason why people fall for these scams. It’s not because of lack of intelligence, it’s because we’re simply…human. Unfortunately, criminals use trust to capitalize on human vulnerability. This is why it’s crucial to question any email, text or call that elicits a strong emotional response. The way back to critical thinking is to pause and breathe for a few seconds. Simple as this may sound, it is very effective. It calls for self-awareness, as well as being aware of the tactics criminals use every day.
Security Through Education
Social Engineer LLC is dedicated to security through education and training. We apply scientifically proven methodologies to uncover vulnerabilities, define risk, and provide remediation. For more information on the services we offer, visit our website www.social-engineer.com.
Written by: Rosa Rowles