What the heck is “vishing”?

At this point, all computer users should be very familiar with the term “phishing”, which is the fraudulent practice of sending emails purporting to be from a reputable sender in order to entice the recipient to reveal personal information, such as passwords and credit card numbers. However, recent articles such as this one from Bleeping Computer have been highlighting the advance of a new threat – “vishing”.

Vishing is the evil cousin of phishing, where the originator with malicious intent makes phone calls or leaves voice messages purporting to be a specific person, or a contact from a reputable company, in order to induce the call recipient to reveal personal information or perform an action such as granting the caller access to corporate accounts and credentials for network access and privilege escalation.

The problem for a service provider like Suite3 is that we regularly get calls from users asking for things like a password reset. However, if that call is received from a contact not on our authorized caller list, we have to be cautious that this person may not be who they claim to be. As a result, we often have to contact an authorized technical contact at the client to move forward with completing the requested task.

To facilitate faster service, a client may provide Suite3 with an entire employee list which we can populate in our system as authorized callers. In addition, the client would need to be sure to add contacting Suite3 for any new hires or employee exits to be sure that authorized caller list stays current over time.

However, many clients prefer to trade a slight delay in service for an end-user in favor of the checks and balances offered by the verification of a request from an authorized technical contact. If you have any questions or want to discuss your service engagement options further, please feel free to ask your Client Relationship Manager to setup a time to discuss options more fully.