Social Engineering at Work: Part 3 – Vishing

Social engineering is when “persuasion” takes a darker turn. In a broad sense, it includes any action that attempts to influence a person to act against their best interests. This is the third of a 4-part series on social engineering and how it affects your business.  Earlier, we covered Impersonation and Email Phishing. Today – Vishing.


Vishing – or ‘voice phishing’ – is used by brazen attackers who call their targets directly. They often impersonate authority figures and threaten victims to send payment, or else…

Malware Routes Calls to Attackers

In one recent example of vishing, rather than calling victims, attackers used malware on victims’ smartphones to redirect their calls.

Once installed, the malware detected when calls were placed to banks and redirected them to scammers who impersonated a banking employee. The phone’s caller ID even listed the bank’s legitimate phone number.

In one example, more than 130 utility customers – many of them restaurants – received calls from a person threatening to shut off their electrical service unless payment was made.

Many of the calls came at busy times – such as the dinner rush – and at least one victim paid $4,000 to avoid having the power cut. Payments were made online or via prepaid card.

Caller ID Spoofing

The attacker may use caller ID spoofing to make their efforts more convincing.

For example, several New Jersey residents experienced vishing attacks in which the caller impersonated a local sheriff’s office.

The attacker attempted to extort money from victims using the threat of arrest and successfully used caller ID spoofing to mimic the sheriff’s office phone number.

In another example of impersonating police, the caller posed as a officer and pressured the victims into share personal information that could be used for fraud.

What You Can Do About It

First, always be aware that these scams exist and keep your guard up. More importantly, partner with a trusted IT service company, who takes on the job of protecting your business from cybercriminals.

For more information, a security assessment, or help training your employees on cyber safety, call mPowered IT 678-389-6200.