Cybercrime rates continue to climb, but criminals are changing their tactics as security heightens in response. One of these changes is a rising emphasis on hybrid vishing. While these threats are far from new, they’ve seen an alarming increase in the past few months.
A recent report from Agari and PhishLabs shows hybrid vishing attacks have risen by 625% between Q1 2021 and Q2 2022. These scams now account for 24.6% of all response-based threats, making them the second most common type behind advanced-fee scams.
What Is Hybrid Vishing?
Vishing is a specific type of phishing attack. While most phishing attempts come through email, these target victims over the phone. They may be more convincing than text-based threats because they involve verbal communication, though they often follow similar tactics, such as creating false urgency.
Hybrid vishing takes these scams a step further. Cybercriminals first reach out to victims through email. However, unlike traditional email-based phishing, they won’t present a malicious link within the message. Instead, they’ll list a number for targets to call, leading them into a vishing scam.
Once scammers have victims on the phone, they’ll trick them into revealing sensitive information. They’ll often pose as authority figures requiring verification for some urgent action, then ask for details like financial account credentials or personally identifiable information.
Why Are Hybrid Vishing Attacks Rising?
The recent escalation in hybrid vishing attacks results from several growing trends. First, phishing as a whole has grown in popularity as people become more susceptible to it. It’s become one of the most frequent types of cybercrime as concerns over COVID-19, remote work, new government programs and similar changes lower victims’ guard.
While phishing has increased globally, hybrid vishing has gained favor as people have caught on to other tactics. Americans have become more aware of the threat of cybercrime, with 60% of U.S. adults expressing concerns over data breaches. This rising awareness means conventional approaches may be less effective, as more people know how to spot email phishing attempts.
The two-pronged nature of hybrid vishing threats helps avoid these suspicions. With no suspicious links in the body of the message, the emails may not immediately raise alarms. Asking users to call instead of calling them first may further lower the victims’ defenses, as they feel more in control of the situation.
How Can You Stay Safe from Hybrid Vishing?
This rise in hybrid vishing attacks is alarming, but individual users and businesses alike can protect themselves. Here’s how you can defend against hybrid vishing.
Learn the Signs
Like other phishing types, the best defense against hybrid vishing is learning to spot it. This is particularly important for businesses, as workers often lack the knowledge necessary to prevent these attacks. Failing to train employees could bring on a host of attacks and scams employers otherwise could have countered.
Hybrid vishing may be harder to spot than other phishing attempts, but it shares some telltale signs. Unusual or unwarranted urgency in a message should raise alarms. Given the rise in these attacks lately, you should be suspicious of any email asking you to call a number you don’t recognize.
Verify Before Trusting
Verifying any message before following through with its instructions is also essential. Even if an email doesn’t seem outright suspicious or out of place, always double-check before calling any numbers or clicking links. Thankfully, material coming from official sources is typically easy to verify.
Before calling a number listed in a message, look it up. Visit the website or whatever authority the message claims to be from and look for the number there. If it’s not listed under an official source, it’s most likely a scam. Similarly, you should compare the email sender’s domain to what’s listed on the authority’s official website to ensure it’s legitimate.
Employ Technical Safeguards
Hybrid vishing may slip past some security tools like spam filters, but other technical safeguards can help. Joining the National Do Not Call Registry will help keep your number from suspicious sources, reducing the chances that cybercriminals will find and call your number. However, keep in mind — this isn’t a perfect solution and doesn’t stop all attacks.
Some of the most critical technical safeguards to install are those detecting and minimizing the impact of successful breaches. Use automated monitoring software to look for and freeze suspicious account activity, signifying a threat. Encrypted backups of sensitive data and access restrictions can further help stop and mitigate successful hybrid vishing attacks.
Stay on Top of Emerging Threats
Cybercrime is constantly evolving, so staying safe means keeping up to date with cybercriminals’ favored attack vectors. When you understand what you’re up against, it’s easier to implement effective defenses.
Hybrid vishing is one of the latest trends all users should know about. While this trend is concerning, it doesn’t mean all businesses or users are in jeopardy. Ensuring you have the correct defenses in place and watching out for these attacks can help keep you and your data safe.