Call Centers and VoIP elements

Ask A Pen Tester: What Is Vishing?

Vishing is VoIP-based phishing, meaning that a hacker pretends to call you from a trusted phone number or source with the intent of convincing you to reveal sensitive information to them, such as passwords, credit card numbers, and more.  

Caller ID spoofing – the process where these vishing hackers make the names and numbers that appear on your caller ID seem legitimate —intentionally confuses potential victims. For example, these hackers may appear to be calling from your bank’s phone number, claiming that your account has been compromised, and requesting your password so they can secure it immediately.

Likely signs of a vishing attack include:

  • Extreme urgency/pushiness from the person on the other end of the line
  • The hacker keeps requesting that you verify the information by providing it
  • Unexpected calls from known numbers or well-established companies
  • Short and unusual phone numbers on call screening Caller ID display

To prevent vishing attacks: 

  • Avoid providing information over the phone to anyone claiming to be the IRS, Medicare, or Social Security Administration (they do not initiate contact)
  • Join the Do Not Call Registry
  • Don't respond to voice prompts via voice answer or touch tones
  • Verify all phone requests, even if they seem to come from your organization’s IT department. Agents should be trained to refuse to disclose sensitive information unless cleared by their supervisor.

One of the best ways to prevent attacks is to conduct routine, third-party penetration tests against your system to gauge your effectiveness. Learn more about MindPoint Group's testing process and how our experts can secure your organization's assets.

More from Our Cybersecurity Experts