Phishing and Vishing for DBAs

Hey DBAs, you need to be hyper-vigilant! Yes, I know you know that you need to pay attention to details as you design databases, tune SQL performance, and make changes. One small slip up and you could impact the availability of data or, even worse, corrupt the data.

But you need to be super-aware as part of your day-to-day activities because hackers are out there phishing (and vishing) for DBAs.

New Fraudulent Activity

If you’ve been paying attention at all, I’m sure you’ve heard the term “phishing.” It is used to describe the fraudulent practice of sending emails purporting to be from a reputable source to induce individuals to reveal personal information, such as passwords and credit card numbers.

But maybe you haven’t heard the term “vishing” yet. This term is used to describe the same type of fraudulent activity as phishing, but using the phone instead of email so it is voice phishing or vishing. Now even if you haven’t heard the term, you have almost certainly gotten a vishing call at some point you know, the ones that come from “Windows.”

Well, it seems that hackers are starting to wise up, but only a little bit. Not so much that you won’t be able to identify a phish­ing or vishing attempt though. Instead of calling from Windows (which is ridiculous), hackers are calling from what looks like a valid number within your company. This is possible using a technique known as spoofing, wherein the hacker disguises the caller ID to display a number you may know and trust, such as a help desk number or another number in your data center. The call may be coming to your work phone or your mobile phone—whatever number the hacker may have acquired some­how. Chances are that the visher will continue to use the same number, so be sure to document the caller ID number and share it with your staff as a suspicious number (even if it is a valid internal number).

Targeting DBAs

It seems as if they are targeting DBAs, proba­bly because they have elevated access within most organizations. When the attacker goes vishing, they generally will share something to try to gain trust. If they know what your role is, they will say some­thing, such as “I know you are a DBA and I hope you can help me with something. I have this report/ query/code that is not working, and I just need your email so I can send it to you to review please.”

This type of request should send off alarm bells in your head. If the caller works at your company and has your phone number, they should be able to get your email address easily. Most organizations have a standard email format such as (or something similar). And, if the caller actually worked at your company, they would be able to get any email address they need from the email client global address directory, right?

Things you should look out for with this type of call are the following:

  • The caller typically does not state their name, department, or who they work for.
  • The caller will ask for your email address even if it is easy for any coworker to actually determine
  • If you question them or ask for additional informa­tion, they will start to become irritated or threatening.

Be vigilant watching for these types of calls. Don’t ever give out your email address over the phone to someone who cold-calls you, even if it looks as if they work at your company or threaten to go over your head or to “another DBA.” Just tell them that’s a good idea—and immediately report the vishing attempt to your supervisor.

Their goal is to get you to provide your valid email address so that they can send their “doc­ument” to you, and it will probably contain a virus of some sort. But if you bought their story, then you may be predisposed to open that document. It is a good rule of thumb to never accept or open an attachment (or link) from someone you do not know.

Techniques to Identify Vishing

Some of the same techniques used to iden­tify phishing emails can work to identify vishing calls. In phishing emails, words are often misspelled. In vishing calls, the speakers often use incorrect grammar, and in both phishing and vishing attempts, the communication frequently lacks professionalism. Phishing may be easier to identify because with vishing there is no telltale sign, as is revealed when you are able to hover your cursor over a link to see the actual URL. Nevertheless, there may be audio clues, such as distracting noise in the background, dis­tortion, or a poor phone connection—but not always.

In general, you should always be skeptical when answering calls from unknown num­bers, even when the number appears to be local. And if you engage and answer the call, never provide any identifying information to them over the phone. Always check the caller ID (but don’t trust that it is totally accurate) and search the web for keywords the caller uses (even during the call) to identify if it is a known scam.

Finally, since DBAs typically deal with ven­dors, you may receive a vishing attempt where the caller poses as one of your vendors. Be just as suspicious of these types of calls if the per­son is not a known contact you have dealt with in the past. Ask for their name and then call the vendor at a contact number you have used before. Alternatively, you can go to the vendor’s website or call the vendor directly to validate that the call is authentic.

The bottom line is that DBAs need to be vigilant to protect their company’s data and assets as phishing and vishing attacks continue to increase.