Cyber Threats on the Rise: Voice Phishing and Social Engineering

What is Voice Phishing? 


Voice Phishing (Vishing) is a social engineering attack where threat actors make fraudulent phone calls or leave deceptive voice messages designed to trick victims into providing sensitive information - like login credentials, credit card numbers, or bank details. Attackers may use toll-free numbers or use Voice over Internet Protocol (VoIP) technology to appear as trusted organizations. In 2024, CrowdStrike Intelligence observed an increase in telephone-based social engineering tactics, including vishing and help desk impersonating. This signals a shift in eCrime. In the latter half of 2024, Vishing campaigns increased by 442%. 




Why is Vishing Effective?

Similar to other social engineering techniques, vishing targets human behavior rather than technical vulnerabilities. Malicious activity often isn't discovered until later, such as when attackers execute malware or gain access, which can delay an effective response. In vishing campaigns, threat actors persuade users to download malicious payloads, establish remote support sessions, or enter their credentials to adversary-in-the-middle (AITM) phishing pages. In many 2024 vishing campaigns, threat actors impersonated IT support staff, calling targeted users under the pretext of resolving connectivity or security issues.


At least four campaigns used spam bombing — sending thousands of spam emails to targeted victom's inbox — as a pretext for the vishing call. Recently, Trine users received spam emails like 'career opportunities' and 'part-time jobs available'. While spam bombing is not an indicator that a Vishing attack is underway, being proactive and spreading the word is the first line of defense. 

One threat group targeting North American entities was able to remotely take over of an individual's network through a Vishing call in under 4 minutes. Fortunately, CrowdStrike's Overwatch system stopped the attack, but the sophistication and speed of attacks are increasing. 



What do I do if I Get a Vishing Call?

At this time, IT is not conducting simulated Vishing campaigns. You will not receive simulated phone calls from IT. Please remember: IT will never punish or criticize a user for reporting a suspected Vishing attempt. We rely on users to report suspicious activity - those reports are critical to protecting Trine's resources. If you suspect you've received a Vishing call, please keep the following in mind:


1. Don't panic - Taking the call does not mean you've been compromised. Unlike clicking on a malicious web link, simply answering the call does not result in harm. 

2. End the call - Like with telemarketers, hanging up on a threat actor is a safe effective action. The longer a threat actor keeps you talking, the greater the risk.  

3. Don't attempt to investigate - Threat actors are trained to keep you engaged and talking. Disconnect the call to end the risk. 

4. Report the call to IT - While IT cannot trace phone numbers like we can with phishing emails, reporting helps recognize trends at the University. With enough reports, IT can confirm if an active Vishing Campaign is targeting the University and take appropriate action. 


If you have questions or want to verify the legitimacy of a call, reach out to IT directly. When in doubt—hang up and check it out.

Was this answer helpful? Yes No

Sorry we couldn't be helpful. Help us improve this article with your feedback.