What is vishing?

Vishing (short for voice phishing) is a form of cyberattack where criminals use phone calls to deceive individuals into providing confidential information. These calls are often carefully crafted to sound legitimate and urgent where attackers may impersonate banks, government agencies, IT support, or even senior business leaders, exploiting trust and fear to extract sensitive information or money.

Micro businesses and SMEs are particularly vulnerable to this type of attack as they often have third party IT providers so providing attackers an opportunity to exploit this. Recognising and defending against this growing threat is a key part of improving your businesses cyber resilience.

How does vishing work?

Vishing attacks rely on social engineering techniques where cybercriminals research their targets and create a believable scenario in order to manipulate their victims. They may claim there is a security issue, a tax issue, or another time-sensitive business matter that requires immediate action.

Imagine this scenario: You answer the phone and the caller says:

"Hi, this is Dewi from your IT support provider. We’ve identified a critical vulnerability in your network, and we need to apply an urgent security patch. Could you please download and install the tool I’ll send you via email? It’s crucial to protect your systems immediately."

Concerned about the security risks, the person taking the call trusts that the right thing to do is to follow the instruction and they install the software. What they have actually done is downloaded malware and provided the attacker access to sensitive data and systems, and the capability of deploying ransomware, potentially putting the entire business at risk.

The impact on micro businesses and SMEs

The WCRC recently supported a business that had experienced this exact scenario, and the impact can be devastating, particularly for these types of organisations. Unlike larger companies, smaller businesses often lack dedicated IT and cybersecurity teams, making them more vulnerable to these attacks. The financial impact can be severe, with many struggling to recover from the losses, and also the impact on their reputation. Beyond this, there is also the emotional toll on the owners and employees, who may feel betrayed or embarrassed that they were deceived.

How to protect against vishing?

• Be vigilant: Always be cautious when receiving unexpected calls, especially if the caller is requesting sensitive information or pressuring you to act quickly.

• Verify the caller: If in doubt, hang up and contact the organisation directly using official contact details using a different phone. Never provide information on the spot.

• Educate your staff: Regular training on social engineering and vishing tactics (and other attacks and simple steps that can be taken by everyone) can help employees recognise and report suspicious calls.

• Use call-blocking technology: Consider using phone systems that can block known fraudulent numbers.

• Create a response plan: Have a clear procedure in place for verifying requests for sensitive information and reporting suspected attacks.

• Report incidents: If you’ve been targeted, report the incident to Action Fraud and your bank or service provider immediately.

  
  

Building awareness and resilience

Vishing is a serious threat, but with the right precautions, micro businesses and SMEs can make themselves more resilient to this type of attack. Awareness and education are key element of any business’ defences, and it’s important to create an environment where staff are vigilant and have been provided with the tools they need to recognise and respond to vishing attempts. As always, if something doesn’t feel right, trust your instincts—better to be cautious than to fall for these deceptive attacks.

To receive more WCRC guidance, resources and regular cyber updates, sign up for our free membership programme