Multi-Stage Vishing Attacks are Coming to an Inbox Near You

multi-stage-vishingNew attacks initially coming in via email are directing victims to make phone calls to attacker-controlled call centers in order to provide banking and credit card details.

I’ve brought these kind of phishing-turned-vishing attacks to your attention previously with examples of fake Amazon password resets or fake orders for expensive items – both pointing recipients to call phone numbers. But new examples of these kinds of increasingly frequent attacks are coming to light.

Rather than sending an email referencing an invoice attachment (usually for the purposes of installing malware), these scams simply use the email as the invoice or payment notice and drive readers towards calling a phone number to dispute the charge.


These scams are intent on getting recipients to divulge their credit card or banking details – all in the name of “getting you a refund”. 

Once again, this very-much unsolicited email should raise a red flag with anyone that receives it, erring on the side of “this is utter garbage” instead of “Oh my! I don’t owe that!” (which is exactly what the scammers want.) Security Awareness Training is the means by which organizations teach users how to stay in that ever-vigilant mode when interacting with email and the web. By doing so, instead of taking everything at face value and believe it by default, users interact with unfamiliar content like this in a far-more scrutinizing manner and are less likely to become victims.

Free Phish Alert Button

Do your users know what to do when they receive a phishing email? KnowBe4's Phish Alert Button gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user's inbox to prevent future exposure. All with just one click! Phish Alert benefits: 

home-KnowBe4-Phish-Alert-2Here's how it works:

  • Reinforces your organization’s security culture
  • Users can report suspicious emails with just one click
  • Incident Response gets early phishing alerts from users, creating a network of “sensors”
  • Email is deleted from the user's inbox to prevent future exposure
  • Easy deployment via MSI file for Outlook, Google Workspace deployment for Gmail (Chrome) and manifest install for Microsoft 365

Get Your Phish Alert Button

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Topics: Phishing, vishing

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews