In the News

Don’t Answer the Phone: Inside a Real-Life Vishing Attack

Mar 20, 2024 Dark Reading

Successful attackers focus on the psychological manipulation of human emotions, which is why anyone, even a tech-savvy person, can become a victim.

It started with a phone call around 10:30 a.m. on a Tuesday from an unknown mobile number. I was working on my computer at home and usually don’t answer phone calls from people I don’t know. For some reason, I decided to stop what I was doing and take that call.

That was my first mistake in a series of several I would make over the next four hours, during which I was the victim of a vishing, or voice-phishing campaign. By the end of the ordeal, I had transferred nearly €5,000 (EUR) in funds from my bank account and in Bitcoin to the scammers. My bank was able to cancel most of the transfers; however, I lost €1,000 (EUR) that I had sent to the attackers’ Bitcoin wallet.

Experts say it doesn’t matter how much expertise you have in knowing the tactics attackers use or experience in spotting scams. The key to the attackers’ success is something older than technology, as it lies in manipulating the very thing that makes us human: our emotions.

“Because we are so tech-centric, we forget that actually these scam tactics are old — predating even Internet scams — and very proven,” says Richard Werner, cybersecurity advisor at Trend Micro. “They work with emotions. When they put us in the right mood and trigger anger or fear, we forget all the advice. In those cases, we lose common sense, and there’s where [attackers] get us.”

As a result, even a cybersecurity expert can fall for a scam, as Werner himself — a 20-year IT cybersecurity veteran — did. A phishing email with a Windows-support themed message arrived in his email just as he was struggling with the operating system not working properly on his machine. Luckily, it was a phishing training exercise that came from an internal source at his company, not one with high stakes.

But as someone who has written phishing exercises for employee training, Werner knows that everyone — from the IT department to human resources — has a trigger that makes them susceptible to a scam under the right set of circumstances…