Data Security – The Growing Danger of Vishing Attacks – Data Protection

If you own a phone, you’ve probably received a suspicious call from an unknown number trying to obtain your private information. What you may not know is that these calls are becoming increasingly harmful to businesses.

What is a vishing attack?

Vishing attacks (or voice phishing attacks) usually involve a scammer seeking to obtain confidential information by impersonating someone else.1 For example, a scammer might pose as someone from a bank, government, or corporate IT department. The goal of a typical vishing attack is to obtain personal information that will open up other opportunities, such as the possibility of stealing an individual’s money or identity or deploying a ransomware attack on the a company’s computer system.2

The Canada Revenue Agency (“BOW“) has often been impersonated in phishing attacks. CRA scam alerts include transcripts of some of these phishing attempts. These scammers have deployed scare tactics, such as telling victims that criminal charges have been filed against them, liens will be placed on their assets, or an unknown legal action is imminent.3

Phishing on the rise

In recent years, vishing attackers have refined their methods to use increasingly sophisticated tools to convince their victims to divulge information. This includes manipulating caller ID to display a legitimate number and voice cloning, which uses machine learning algorithms and voice changer technology to mimic the voice of a trusted person.4

In January 2021, the FBI issued a private industry notification highlighting the increase in targeted vishing attacks seeking access to corporate networks.5 Specifically, there has been an increase in hybrid vishing attacks, which combine targeted phishing attacks (also known as spearphishing) with vishing.6 Of greater concern is the effectiveness of hybrid vishing attacks – in tests conducted by IBM, hybrid vishing attacks were shown to be three times more effective than spear phishing alone, yielding a click-through rate of

Prevention and mitigation measures

To better protect you and your business from these threats, agencies such as the Canadian Center for Cyber ​​Security, the FBI, and the U.S. Department of Health and Human Services have issued guidance with the following advice for individuals :

  • Use smartphones’ built-in spam protection features;8

  • Attempt to block robocalls or calls from unknown numbers; and

  • Exercise caution in the face of suspicious behavior such as:
    • callers looking for sensitive information;

    • scare tactics or high pressure from callers;

    • offers that sound too good to be true; Where

    • signs that are not characteristic of legitimate businesses and government agencies, such as calls with poor audio quality, or callers with a robotic tone or abnormal rhythm of their voice;9

Businesses should train their staff on vishing attacks, new types of phishing campaigns, and how to respond if targeted.ten It is also good practice to periodically test employees with simulated vishing attacks, to identify when additional training or awareness campaigns may be needed. However, since it is impossible to fully reduce the risk of a successful vishing attack, it is essential for businesses to use a layered security approach. In particular, companies should consider implementing the following mitigation measures:

  • Implement multi-factor authentication (MFA) to access employee accounts to minimize the risk of an initial compromise.11 One-time passwords are preferred over push notifications (which are sometimes accepted due to MFA fatigue, without knowing the source of the request);12

  • Grant new employees access on a scale of least privilege;13

  • Actively scan and monitor networks for unauthorized access or modification;14

  • Use network segmentation to divide a large network into multiple smaller networks to better control the flow of network traffic;15 and

  • Assign two accounts to administrators: one account with administrator privileges for making changes to the system and another account for email, update deployment, and reporting.16


1. Canadian Center for Cyber ​​Security, “What is Vishing?” (July 25, 2022). [What is Vishing]; Text message equivalents are referred to as “smishing” attacks and “quick response” (QR) code equivalents are “quishing” attacks.

2. Canadian Center for Cyber ​​Security, “Don’t Take the Bait: Recognize and Avoid Phishing Attacks – ITSAP.00.101” (August 2022).
[Don’t Take the Bait]

3. Government of Canada, “Examples of phone scams” ​​(May 17, 2022).

4. What is vishing, sv “How a vishing scam works”.

5. Federal Bureau of Investigation, Cyber ​​Division, “Private Industry Notification 20210114-001” (January 14, 2021). [FBI Private
Industry Notification]

6. Rodika Tollefson, “Spear phishing meets vishing: New multi-stage attack targets enterprise VPNs” (December 15, 2020).

7. IBM, “X-Force Threat Intelligence Index 2022” (February 2022) at page 5.

8. What is vishing, sv “Tips for spotting and avoiding vishing scams”.

9. Don’t take the bait, sv “Something can be phishy if”.

10. What is vishing, sv “Tips for spotting and avoiding vishing scams”.

11. FBI Private Industry Notification, page 2.

12. Vishing on the Rise, page 2.

13. Supra Note 11.

14. ditto

15. ditto

16. ditto

The above provides an overview only and does not constitute legal advice. Readers are cautioned not to make any decisions based solely on this material. Rather, specific legal advice should be obtained.

© McMillan LLP 2021

About Sandra A. Powell

Check Also

Garden State CEO Gogie Padilla offers seniors protection from phone scams and spam

Sure Response, LLC Gogie Padilla, President of Answer Sure, LLC SPOTSWOOD, NJ, USA, Sept. 12, …