In a transparent soundproof booth, on a brightly lit stage, armed with nothing more than a VOIP phone and a sheaf of paper, 14 people take it in turns to perform in front of a large crowd.

The select few are going vishing (voice phishing) and their aim is to collect as many data points as possible from the target organisation that they’ve been assigned. The winner is the one who gains the largest amount of valuable data within a 25-minute time slot.

This is Social Engineering Capture the Flag (SECTF), an event within the DEF CON conference and a fascinating piece of theatre. It’s also a hard-fought competition with the contestants taking immense pride in the hours of research they have conducted via OSINT (Open Source Intelligence) prior to taking to the stage.

Whilst the competition is for people who call themselves Human Hackers, it isn’t something that’s designed to mock the failings of organisations – instead it highlights how important it is for businesses to better equip themselves against a tactic that is so effective, it often goes unnoticed.

In this post – the fifth in our Cyber Security Series – we’ll take a look at the art of vishing and the common sense steps you can take to prevent your employees from falling hook, line and sinker.

Engineering your way in

At the heart of vishing is a tactic that’s been used by criminals throughout history – social engineering. From the door-to-door conman fleecing an individual out of thousands to the cyber criminal re-routing millions of dollars to an off-shore bank account, they use impersonation, pressure and persuasion to trick their targets into handing over valuable data.

In a business context, the kind of information that requires protection extends way beyond financial data. In instances of large-scale fraud, criminals will take the time to learn org charts and internal processes, giving them the power to subvert procedures and transfer funds without immediate detection.

“Criminals are increasingly directly targeting individuals and businesses for their data and money, using social engineering tactics to commit their crime.”

‘Fraud the Facts 2018’, UK Finance

Your name is Chris? That’s my brother’s name too!

In a podcast for Security Through Education, SECTF winner Whitney Maxwell explains how she uses social engineering tactics to build rapport when vishing. It’s the same social skills that we all use on a day to day basis, and what makes us such easy targets. Here’s an example:

If a target says, “Hi, this is Kathy”, Whitney responds with, “Oh, that’s my middle name! How do you spell yours, with a ‘C’ or with a ‘K’?” With a natural lilt to her voice and just the right amount of enthusiasm, Whitney sounds genuine – genuine enough that when she goes on to say that she’s a new employee trying to connect to the network, the person on the other end is more than willing to help.

It’s not all about phishing

For the majority of large enterprises, teaching staff about social engineering is part of their standard security process however more often than not the emphasis is on online phishing activity. Social engineering expert (and three times 2nd place SECTF finalist) Rachel Tobac thinks this is a mistake. When asked in an interview what cyber security issue organisations should be paying more attention to, her reply was vishing because, as she puts it: “In my experience, it’s been way easier to vish a company than it’s been to phish a company”. And she should know.

Where phishing emails are typically easy to spot thanks to grammatical errors or enormous lies such as “The FBI wishes to give you $9,000,000 USD”, vishing is more difficult to detect. When a person takes the time to call you and hold a conversation, deploying tactics that disguise outright dishonesty with what seems like genuine courtesy, it’s easy to understand how you might be fooled into handing over information. So, what can you do?

Seal off your processes

Cyber criminals who use vishing tactics will often target an organisation at entry level before working their way up. Approval processes are particularly susceptible to vishing so it is worth reviewing how broadly each of your process steps are known throughout your business. If the people at the beginning of the process have clear visibility all the way to the end, it’s worth putting up some walls.

Stop leaving the door open

When it comes to office buildings, physical security is easy to spot: usually there are guards or reception staff, cameras and a card entry system. But even with these measures in place, most organisations will find that staff frequently circumvent the rules. Here’s just a few examples:

  • Allowing colleagues through doors and barriers when they have forgotten their swipe cards.
  • Giving visitors staff passes to access building facilities.
  • Allowing a delivery to be brought in to a restricted area by an unauthorised person.

Most employees will know that any of the above could compromise security, and yet they still do it. Why? Because as humans we like to be helpful to others and we certainly don’t want to suggest to people that we don’t trust them. It’s a delicate balance between being cautious and downright suspicious and it’s where critical thinking comes in to play.

Critical thinking is vital

Ultimately, employees should use the same level of critical thinking that they would if they received a random call at home – there aren’t many people who haven’t answered the phone to someone pretending to be from a bank, phone company or tech support firm.  According to UK Finance’s ‘Fraud the Facts 2018’ report, £28.4m was stolen in this way in 2017 alone.

Thinking twice before responding to requests for information – in person, via email or over the phone – is vital to protecting your business assets and is everybody’s responsibility. From exploring examples informally with your teams through to specialist penetration testing companies who will let you know precisely how big the risk is, the power is in your hands to reduce the threat of vishing to your business. It’s time for some critical thinking.

For more information, please contact Katherine Hill, Cyber Security Lead at kat.hill@scc.com