Magpie Tech Tips

November 10, 2021

New Vishing Attack Hitting Windows Users – Watch for It!

Yet again, cybercriminals change tactics. They're using a new "Vishing" strategy to attack unsuspecting people. The strategy impersonates Microsoft, and even employs phone calls to trick you into giving them access.

October is a time for spooky decorations, costumes, and candy…not scary cyberattacks. Yet that's what started up this October, via a new "vishing" attack spreading fast.

Vishing, or 'voice phishing,' adds another element to the typical phishing attack—voice messages.

Ordinarily phishing messages come via email. You get a message that looks like it came from your bank, or a software company, asking you to click a link. The link leads you to malware, which sets off the whole cyberattack.

However, this latest vishing campaign doesn't use a link. It uses a phone number.

Here's how it works, according to , who discovered the campaign:

  1. You receive an email that looks like it comes from Microsoft.

Vishing Attack 2021

  1. It contains an invoice for renewing "Microsoft Defender." Wait, you didn't renew Defender (it's free, by the way)!
  2. Well, the invoice has a phone number for "any questions you may have." So you call the number.
  3. On the phone, someone "from Microsoft" asks you to download some software to 'verify' the renewal.
  4. The software allows remote access to your computer. Once you download & run it, they're in.
  5. Now they can steal your data, deploy ransomware, crash the network…whatever they want. Cyberattack commences.

Why incorporate a phone call? It increases the "trust factor." It's easy to delete an email you didn't expect. Talking to someone on the phone, who says they want to help you with an issue, makes it easier to trust them.

That's what makes vishing so dangerous.

How do you stop this from hurting you? Exercise caution, and follow some simple practices:

  • Whenever you receive an unexpected message, especially involving bills, check with your billing department. If they didn't expect the message either, notify your IT department.
  • Watch for phishing 'cues.'
    • Lots of links in an email (or no links at all, even in the footer).
    • Misspelled words.
    • A Gmail address used for an 'official business' email.
    • Inconsistencies with names, addresses, or email addresses.
  • Search the phone number before calling. If it doesn't match up to the business' official numbers, chances are it's fake.
  • If you receive a call you don't recognize, and they ask you to download something to your computer? Hang up and notify IT Support.