Digital Brain
digital brain
digital brain

Data Security – The Increasing Danger of Vishing Attacks

September 16, 2022 Privacy Law Bulletin 3 minute read

If you own a phone, you have probably received a shady call from an unknown number trying to obtain your private information. What you may not know is that these calls are becoming increasingly harmful for businesses.

What is a Vishing Attack?

Vishing attacks (or voice phishing attacks) typically involve a scammer seeking to gain confidential information by pretending to be someone else.[1] For example, a scammer may introduce themselves as someone from a bank, the government, or a company’s IT department. The goal of a typical vishing attack is to obtain personal information that will unlock further opportunities, such as the ability to steal an individual’s money or identity or deploy a ransomware attack on a company’s computer system.[2]

The Canada Revenue Agency (“CRA“) has often been impersonated in vishing attacks. CRA scam alerts include transcripts of some of these phishing attempts. These scammers have deployed scare tactics, such as telling victims that criminal cases have been initiated against them, liens will be placed on their assets, or unknown legal action is impending.[3]

Vishing on the Rise

In recent years, vishing attackers have refined their methods to use increasingly sophisticated tools to convince their victims to divulge information. This includes manipulating their caller ID to display a legitimate number and voice cloning, which uses machine learning algorithms and voice changer technology to mimic a trusted individual’s voice.[4]

In January 2021, the FBI issued a private industry notification pointing to the increased number of targeted vishing attacks seeking access to corporate networks.[5] Specifically there has been a rise in hybrid vishing attacks, which combine targeted phishing attacks (also known as spearphishing) with vishing.[6] The effectiveness of hybrid vishing attacks is more concerning – in tests conducted by IBM, it was demonstrated that hybrid vishing attacks were three times more effective than spearphishing alone, producing a 53.2% click rate.[7]

Prevention and Mitigation Measures

To better protect you and your company from these threats, agencies such as the Canadian Centre for Cyber Security, the FBI and the U.S. Department of Health and Human Services have issued guidance with the following tips for individuals:

  • Use built-in smartphone spam protection features;[8]
  • Attempt to block automated calls or calls from unknown numbers; and
  • Exercise caution when faced with suspicious behavior such as:
    • callers seeking sensitive information;
    • scare tactics or high pressure from callers;
    • offers that sound too good to be true; or
    • signs that are uncharacteristic of legitimate corporations and government agencies, such as calls with poor audio quality, or callers with a robotic tone or unnatural rhythm to their voice;[9]

Companies should train staff on vishing attacks, new kinds of phishing campaigns and how to respond if targeted.[10] It is also good practice to periodically test employees with simulated vishing attacks, to identify when further training or awareness campaigns may be needed. However, since it is impossible to reduce the risk of a successful vishing attack entirely, it is key for companies to use a layered security approach. In particular, companies should consider implementing the following mitigation measures:

  • Implement multi-factor authentication (MFA) for accessing employees’ accounts in order to minimize the chances of an initial compromise.[11] One-time passwords are preferred over push notifications (which are sometimes accepted due to MFA fatigue, without knowing the source of the request);[12]
  • Grant new employees access on a least privilege scale;[13]
  • Actively scan and monitor networks for unauthorized access or modifications;[14]
  • Utilize network segmentation to break up one large network into multiple smaller networks to better control the flow of network traffic;[15] and
  • Issue two accounts to administrators: one account with admin privileges to make system changes and another account for email, deploying updates, and generating reports.[16]

If you have any questions about the growing risks of vishing and how to develop effective cyber security programs and policies, a member of McMillan’s Privacy and Data Security Group would be pleased to assist you.

[1] Canadian Centre for Cyber Security, “What is Voice Phishing (Vishing)?” (July 25, 2022).  [What is Vishing]; The text message equivalents are referred to as “smishing” attacks (SMS phishing), and the “quick-response” (QR) code equivalents are “Quishing” attacks (QR code phishing).
[2] Canadian Centre for Cyber Security, “Don’t take the bait: Recognize and avoid phishing attacks – ITSAP.00.101” (August 2022). [Don’t Take the Bait]
[3] Government of Canada, “Sample telephone scams” (May 17, 2022).
[4] What is Vishing, s.v. “How does a vishing scam work”.
[5] Federal Bureau of Investigation, Cyber Division, “Private Industry Notification 20210114-001” (14 January 2021). [FBI Private Industry Notification]
[6] Rodika Tollefson, “Spearphishing meets vishing: New multi-step attack targets corporate VPNs” (December 15, 2020).
[7] IBM, “X-Force Threat Intelligence Index 2022” (February 2022) at page 5.
[8] What is Vishing, s.v. “Tips for spotting and avoiding vishing scams”.
[9] Don’t Take the Bait, s.v. “Something may be phishy if”.
[10] What is Vishing, s.v. “Tips for spotting and avoiding vishing scams”.
[11] FBI Private Industry Notification, at page 2.
[12] Vishing on the Rise, at page 2.
[13] Supra Note 11.
[14] ibid
[15] ibid
[16] ibid

By Robbie Grant; Vaughan Rawes (Articling Student) and Zijian Yang (Summer Student)

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2022

Insights (5 Posts)

Featured Insight

Display of Trademark on Stickers Affixed to Goods Constitutes Trademark Use

Displaying a retailer’s trademark on stickers affixed to goods already branded with a third party’s mark constitutes "use" of a trademark in Canada.

Read More
Jan 31, 2023
Featured Insight

Term CORRA Officially Under Development

1- and 3- month Term CORRA under development; targeted publication date is at end of Q3 2023; Term CORRA administrator will be CanDeal Innovations Inc.

Read More
Jan 30, 2023
Featured Insight

The State of Play in Shareholder Activism: Issues, Concerns and Trends

Join us for a series of engaging discussions on shareholder activism in Canada. Industry experts will share valuable insights into regulatory and market issues, concerns and trends.

Tuesday, February 28, 2023
Featured Insight

CSA Publishes Results of Continuous Disclosure Review Program Activities

CSA Staff Notice 51-364 - Continuous Disclosure Review Program Activities for fiscal years ended March 31, 2022 and March 31, 2021.

Read More
Jan 26, 2023
Featured Insight

Canadian Securities Administrators Comment on Disclosure Related to Mineral Projects and Technical Reports

On November 3, 2022, the Canadian Securities Administrators published Staff Notice 51-364 Continuous Disclosure Review Program Activities for 2022 and 2021.

Read More
Jan 24, 2023