What is IVR phishing, and how can I avoid it?
In one of our recent blogs, we took a look at the phenomenon of social engineering attacks. In order to accurately identify such attacks, however, it is important to understand the different forms such attacks can take. While social engineering is most commonly used to describe attackers stealing online data, this isn’t always the case.
There are several variations of social engineering and phishing attacks that can occur offline as well as online. We’ll be looking to produce a blog on each of these in the coming weeks, but today we’re starting with one of the most curious (and effective): interactive voice response (IVR) phishing.
What is interactive voice response (IVR) phishing?
Interactive Voice Response Phishing is a type of phishing scam that involves a call with a pre-recorded, automated message. IVR attacks and similar methods are often known as ‘vishing’ attacks, a portmanteau of voice and phishing.
Instead of being tricked into entering your details on a dodgy website, you’re tricked by a person or pre-recorded voice to give them your information. Vishing attacks are effective because they are more personal, and rely on your ability to be persuaded.
- A typical IVR phishing attack starts with a call claiming to be from your bank. A recorded voice will tell you that your account has shown suspicious activity and, as a result, you now need to confirm your identity.
- You will be asked to provide either your card number or security information, which is then harvested by the attacker. The attacker uses the fear of losing money to manipulate you into making an impulsive decision.
Remember, your bank will never ask you to provide your password or card details in full over the phone. If you receive a call of this nature, hang up and call back on the numbers available on the back on your bank card/the official website.
IVR is used by attackers as it allows them to target large groups of people using readily available information, and through a more intrusive method than typical email attacks. Attackers can simply play the odds in the belief that at least somebody will be caught out.
How do vishing scammers get phone numbers to call?
Vishing attackers take advantage of the fact that you are required to hand over your phone number with increasing regularity in today’s society. While phishing emails are often caught in spam, spam filters for phones are less effective. Many of us also allow hundreds or even thousands of unread emails to pile up, whereas phone calls tend to grab our attention.
Methods of acquiring phone numbers include:
- Oversharing. This could be through something as simple as leaving your number in your email signature, or including it in a public post on social media or a discussion board.
- Third-Party Services. If one of the services you signed up for (eg. a gym or charity) was to either suffer a data breach or sell on any customer info to third parties, your number could easily wind up in the hands of potential attackers.
What might a vishing scam look like in practice?
One of the most common vishing scams is the ‘Fake Bank Manager’ call. The scammer will claim to be calling on behalf of your bank, and attempt to either gain your online banking credentials or dupe you into making a payment.
- Due to the sensitive nature of this information, you are likely only to share it with employees from within the organisation in question.
- In order to steal this information, attackers will try to push you into impulsive decisions by creating a sense of urgency. For example, they will inform you of “suspicious activity” on your account that needs to be investigated.
- Once the fraudster has been able to build up a degree of trust, they will then ask you to provide sensitive information (e.g. your debit card number in full).
How to identify and stop vishing scams
Here are some of the precautions you should bear in mind to help identify and stop vishing attacks:
- Never reveal sensitive information over the phone unless you are 100% sure of the caller’s identity and authenticity. Remember, you are within your rights to ask for the caller’s name, company and the reason for their call, as well as any credentials they can provide. If you are still uncertain, end the call politely.
- Never enter sensitive information when receiving a call from a recorded voice. If you do receive a recorded-voice call, it should only ever be to provide you with information, and never as a two-way conversation.
- If you do receive an unsolicited call from a company that you recognise (e.g. your bank or a current service provider), inform the caller that you will ring back via the number on their website/printed on the back of your bank card.
- If a colleague asks you to provide sensitive information over the phone, ask them to put their request in an email and make sure your line manager is cc’ed into the conversation. This way, you can ensure that you are helpful, whilst also keeping within best practice.
We hope that this advice helps you to better understand IVR attacks, and how to keep you and your business safe from such threats. To learn more about our wealth of experience in cyber attack prevention, and to discuss your IT requirements, get in touch with us today.