Insights Header image
Insights Header image
Insights Header image

Data Security – The Increasing Danger of Vishing Attacks

September 16, 2022 Privacy Law Bulletin 3 minute read

If you own a phone, you have probably received a shady call from an unknown number trying to obtain your private information. What you may not know is that these calls are becoming increasingly harmful for businesses.

What is a Vishing Attack?

Vishing attacks (or voice phishing attacks) typically involve a scammer seeking to gain confidential information by pretending to be someone else.[1] For example, a scammer may introduce themselves as someone from a bank, the government, or a company’s IT department. The goal of a typical vishing attack is to obtain personal information that will unlock further opportunities, such as the ability to steal an individual’s money or identity or deploy a ransomware attack on a company’s computer system.[2]

The Canada Revenue Agency (“CRA“) has often been impersonated in vishing attacks. CRA scam alerts include transcripts of some of these phishing attempts. These scammers have deployed scare tactics, such as telling victims that criminal cases have been initiated against them, liens will be placed on their assets, or unknown legal action is impending.[3]

Vishing on the Rise

In recent years, vishing attackers have refined their methods to use increasingly sophisticated tools to convince their victims to divulge information. This includes manipulating their caller ID to display a legitimate number and voice cloning, which uses machine learning algorithms and voice changer technology to mimic a trusted individual’s voice.[4]

In January 2021, the FBI issued a private industry notification pointing to the increased number of targeted vishing attacks seeking access to corporate networks.[5] Specifically there has been a rise in hybrid vishing attacks, which combine targeted phishing attacks (also known as spearphishing) with vishing.[6] The effectiveness of hybrid vishing attacks is more concerning – in tests conducted by IBM, it was demonstrated that hybrid vishing attacks were three times more effective than spearphishing alone, producing a 53.2% click rate.[7]

Prevention and Mitigation Measures

To better protect you and your company from these threats, agencies such as the Canadian Centre for Cyber Security, the FBI and the U.S. Department of Health and Human Services have issued guidance with the following tips for individuals:

  • Use built-in smartphone spam protection features;[8]
  • Attempt to block automated calls or calls from unknown numbers; and
  • Exercise caution when faced with suspicious behavior such as:
    • callers seeking sensitive information;
    • scare tactics or high pressure from callers;
    • offers that sound too good to be true; or
    • signs that are uncharacteristic of legitimate corporations and government agencies, such as calls with poor audio quality, or callers with a robotic tone or unnatural rhythm to their voice;[9]

Companies should train staff on vishing attacks, new kinds of phishing campaigns and how to respond if targeted.[10] It is also good practice to periodically test employees with simulated vishing attacks, to identify when further training or awareness campaigns may be needed. However, since it is impossible to reduce the risk of a successful vishing attack entirely, it is key for companies to use a layered security approach. In particular, companies should consider implementing the following mitigation measures:

  • Implement multi-factor authentication (MFA) for accessing employees’ accounts in order to minimize the chances of an initial compromise.[11] One-time passwords are preferred over push notifications (which are sometimes accepted due to MFA fatigue, without knowing the source of the request);[12]
  • Grant new employees access on a least privilege scale;[13]
  • Actively scan and monitor networks for unauthorized access or modifications;[14]
  • Utilize network segmentation to break up one large network into multiple smaller networks to better control the flow of network traffic;[15] and
  • Issue two accounts to administrators: one account with admin privileges to make system changes and another account for email, deploying updates, and generating reports.[16]

If you have any questions about the growing risks of vishing and how to develop effective cyber security programs and policies, a member of McMillan’s Privacy and Data Security Group would be pleased to assist you.

[1] Canadian Centre for Cyber Security, “What is Voice Phishing (Vishing)?” (July 25, 2022).  [What is Vishing]; The text message equivalents are referred to as “smishing” attacks (SMS phishing), and the “quick-response” (QR) code equivalents are “Quishing” attacks (QR code phishing).
[2] Canadian Centre for Cyber Security, “Don’t take the bait: Recognize and avoid phishing attacks – ITSAP.00.101” (August 2022). [Don’t Take the Bait]
[3] Government of Canada, “Sample telephone scams” (May 17, 2022).
[4] What is Vishing, s.v. “How does a vishing scam work”.
[5] Federal Bureau of Investigation, Cyber Division, “Private Industry Notification 20210114-001” (14 January 2021). [FBI Private Industry Notification]
[6] Rodika Tollefson, “Spearphishing meets vishing: New multi-step attack targets corporate VPNs” (December 15, 2020).
[7] IBM, “X-Force Threat Intelligence Index 2022” (February 2022) at page 5.
[8] What is Vishing, s.v. “Tips for spotting and avoiding vishing scams”.
[9] Don’t Take the Bait, s.v. “Something may be phishy if”.
[10] What is Vishing, s.v. “Tips for spotting and avoiding vishing scams”.
[11] FBI Private Industry Notification, at page 2.
[12] Vishing on the Rise, at page 2.
[13] Supra Note 11.
[14] ibid
[15] ibid
[16] ibid

By Robbie Grant; Vaughan Rawes (Articling Student) and Zijian Yang (Summer Student)

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2022

Insights (5 Posts)View More

Featured Insight

Unpacking Partnership Contracts in Quebec’s New Bill 62 Public Infrastructure Legislation

Bill 62 – An Act mainly to diversify the acquisition strategies of public bodies and increase their agility in carrying out infrastructure projects (“Bill 62”) was passed on October 2024 by the Québec National Assembly.

Read More
Dec 11, 2024
Featured Insight

Ontario Employers: New Job Posting Requirements Come into Force January 1, 2026

Employers should note new requirements for publicly advertised job postings that will come into force January 1, 2026.

Read More
Dec 11, 2024
Featured Insight

Managing Climate Risk with Insurance and Contractual Provisions

Carefully crafted contractual clauses and tailor-made insurance can help effectively manage the escalating risks posed by extreme weather.

Read More
Dec 11, 2024
Featured Insight

Legal Considerations in Canada related to “Voice Cloning”

In this bulletin, we discuss some potential causes of actions that one may have in Canada if they become victim of voice cloning.

Read More
Dec 6, 2024
Featured Insight

Ontario Employers: Important Changes to the ESA and OHSA Now in Force

Amendments to the ESA and OHSA regarding doctor's notes, virtual harassment, remote workers, and electronic postings are now in force.

Read More
Dec 6, 2024