Voice phishing, also known as Vishing, is a common type of social engineering attack. Unlike email phishing, vishing takes place over calls, and most of them are pre-recorded and automated robocalls. Using similar techniques such as impersonation, the attacker attempts to trick potential victims into:

• • – providing confidential information (such as personal data and user credentials);
  • – installing malware on their machines; or
  • – performing fraudulent financial transactions

There has been a rise in Vishing cases in Singapore, where attackers target employees working from home to collect login credentials for corporate networks and confidential company data. We urge you to exercise extra vigilance when responding to all kinds of voice calls, whether you are in the office or working from home.

What do I need to look out for?

Here are some tell-tale signs of voice phishing attacks:

1. The caller is not a human, and the message is automated and pre-recorded (robocall).
2. The caller is trying to pretend as an authoritative figure such as a police officer, tax regulator or government official.
3. The caller threatens negative consequences if instructions are not followed.
4. The Caller ID is unknown, unfamiliar or spoofed. Pay attention if the Caller ID has a “+” prefix. Do note that since Apr 2020, only incoming international calls have a “+” prefix displayed whilst local calls will not have a “+” prefix.

What should I do if I received a suspicious call?

1. Hang up immediately if you receive suspicious robocalls.
2. Always verify the caller’s identity and purpose before taking any action.
   • If the caller is an NUS staff, verify with another staff from their department.
   • For external callers, verify with a contact obtained using official channels (e.g. the organization’s main hotline)
   • Never use the contact details given by the caller for verification.
3. Do not panic when pressured to take any action, especially when threatened with a deadline.
4. Do not divulge any information, especially personal data, account credentials, One-Time Passwords (OTPs) or classified University data.
   • This also includes information that might be of ‘little or no value’ to you as it could be used in subsequent calls to gain trust.
5. Do not download and install any software which the caller requests you to.

What if I had divulged information during a call?

If you accidentally divulged information of any kind, inform your manager immediately and:

• • – For personal data, report to NUS Personal Data Protection Office
  • – For any other data, report to NUS IT

You may also contact IT Care for assistance via 6516 2080 or itcare@nus.edu.sg.

 

 

Let’s all work together to keep NUS secure, bIT by bIT.