The Agency Insider with Linda McGlasson

Vishing Spree Continues to Target Customers

Vishing Spree Continues to Target Customers

This social engineering exercise is called "vishing" -- a form of phishing where, instead of people receiving an email trying to lure them into giving personal information, the criminal uses a phone call, either live or automated, to attack the bank or credit union customer and get critical information.

In fact, we even have an actual recording of a vishing attempt.

In just the past four weeks, financial institutions in 11 different states have one or more incidents of vishing. And these are just the institutions that are aware they've been targeted. 

I hate to be someone who says 'I told you so,' but in this case I have to say to those banks and credit unions out there who think phishing and vishing attacks won't hit them or their customers: The signs aren't looking good if you're not prepared to handle such incidents against your customers.

In just the past four weeks, financial institutions in 11 different states have one or more incidents of vishing. And these are just the institutions that are aware they've been targeted.

The fact is: We're pretty good at stopping traditional phishing attempts from defrauding our customers. Institutions have done a great deal of education about what kinds of communication customers should expect. This is why vishing and "text" phishing via cell phones (also known as "Smishing") have become an avenue for fraudsters to deploy their attempts to get account information. Customers who know to be wary of emails asking for their personal information will often fall for the ploy when it comes in the form of a phone call. Some attacks don't even target a named institution, but just have a generic recorded message that calls or texts cell phones and regular phones in an area code.

The last time I reported on vishing was back in February, when four states were caught up in a spree of events. As you can see, the incidents have only escalated since then.

For banks and credit unions that want to develop (or add to) their phishing incident response plan, there's a Vishing Incident Response Plan that I put together with the help of Bill Lamb from Central National Bank of Enid, OK, and Elaine Dodd, head of the Fraud Division at the Oklahoma Bankers Association.

Let me know if you've got additional tips or best practices to add to this plan. I want to hear from you about what you like (or don't like) about it. The best defense begins with an educated customer base, but you still need to be prepared to defend your customers and your institution when the vishers come calling.



About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.