The term vishing is a portmanteau created from voice and phishing. Most people have heard of “phishing”, which involves enticing email or text messages into clicking on links to files or websites that harbor malware. The links may also appear in online advertisements that target consumers.
Vishing uses verbal scams to trick people into doing things they believe are in their best interests. Vishing often picks up where phishing leaves off. It is typically considered a type of phishing, which itself is a type of social engineering. Vishing is concerned with voice communication, whereas phishing typically relies on email communication.
Vishing attacks are carried out against both individuals and businesses, usually for monetary gain. However, it might also be motivated by other objectives, such as political, competitive or retaliatory activities.
Understanding the concept of vishing
A vishing attack is a type of phishing attack in which a threat actor uses social engineering tactics via voice communication to scam a target. The scammer may either try to convince a target to send them money or share any or all of the following sensitive information:
- Name
- Address
- Date of birth
- Usernames
- Passwords
- Credit card information
- Banking data
- Government-issued numbers (e.g. Social Security or Social Insurance)
Scammers who carry out vishing campaigns use an assortment of tactics to get their targets to divulge confidential information. They might call their targets directly or leave voice messages, play recorded messages, or speak directly to their targets. They might precede their calls with a text message or employ some other mechanism to bait the prospective victims.
For example, a scammer might send a text message to a potential victim’s phone number, suggesting that there is a problem with the person’s bank account. This is followed by a voicemail message stating that the victim’s bank account experienced suspicious activity and is now locked down. The message then instructs the victim to call a specific telephone number and provide information to “verify the customer’s identity” or to “ensure that fraud has not occurred.”
Vishing scammers commonly try to instill a sense of urgency or veiled threat when communicating with their victims. They use fear, excitement, greed and other emotional responses to get their victims to reveal confidential information before they have time to consider what they’re doing.
Types of vishing attacks
Types | Description |
---|---|
Wardialing | In a wardialing type of vishing attack, cybercriminals call specific area codes and use an automated message to instill fear in victims. They pretend to be a local bank, business or police station calling to verify that their accounts have not been compromised and typically ask for sensitive information like mailing address, bank account information, and even social security numbers. |
VoIP | VoIPs are one of the hardest vishing techniques to identify because cybercriminals hide behind a fake number. These numbers are typically 1800 numbers or fake numbers with the local area code. |
Dumpster Diving | Dumpster diving is a technique not many think is used, but it’s exactly as it sounds. With this technique. Criminals search dumpsters behind banks or other important organizations to gather enough information to conduct a targeted attack on a victim. Potential information they can gather includes the type of account information, phone number, or email and proceed with social engineering techniques with the attack. |
Caller ID Spoofing | This type of vishing attack is similar to VoIP, with the difference that the caller id, instead of showing a number, shows the message “IRS” or “Police Department”. |
Technical Support | Scammers will pretend to be someone from customer support from big companies like Apple, Microsoft, or Bank of America. It is important to remember that banks will never ask you for personal information such as social security numbers over the phone. |
How scammers carry out vishing attacks
Today’s technologies make it possible for cybercriminals to conduct massive vishing campaigns.
One of the most important technologies is voice over IP (VoIP), a telecommunications system that uses high-speed IP networks to facilitate voice exchanges. Although VoIP is used extensively for legitimate business, cybercriminals are also taking ID spoofing advantage of the technology and its many features. With VoIP, they can carry out attacks without being detected, automate much of their operations, hide their locations or even keep moving locations.
Cybercriminals also use caller ID spoofing, the process of manipulating the displayed caller IDs to impersonate a legitimate source, such as a bank or government agency. In addition, they’ve begun to use machine learning to incorporate voice cloning into their operations. Voice cloning is a technique for simulating the voices of people whom their victims might recognize, making targeted attacks far more effective and difficult to detect.
Vishing based on VoIP is extremely difficult for authorities to trace, and when combined with voice cloning, it’s even trickier to stop. Furthermore, cybercriminals often outsource their vishing scams to individuals or organizations in other countries, which can render sovereign law enforcement powerless.
Even if this were not the case, those in other countries are also taking advantage of technologies such as VoIP, adding yet another layer of challenges.
Examples of vishing attack
Most incidents of fraud involve telephone-based communication. Here are some examples of common vishing attacks:
Banking scams
Vishing attackers attempt to steal financial information such as bank accounts and credit card numbers. One method they use to trick their victims is ID spoofing, where they impersonate a legitimate entity using an ID that looks authentic.
For example, a scammer might pose as a CFO or employee in the financial department and try to persuade the target to transfer funds to an offshore account.
Unsolicited investment and loan offers
Scammers often call their targets offering unrealistically enticing deals, such as quick fixes to pay off debts or get-rich-quick schemes. These offers tend to require immediate action accompanied by a fee. A legitimate lender or investor does not initiate unsolicited contact or make overly optimistic offers.
Social Security and Medicare scams
Phone calls are the preferred method for scamming older targets. Scammers often pose as representatives from Medicare or the Social Security Administration. They may try to steal personal information such as Medicare or Social Security numbers or threaten to suspend or stop benefits.
Scammers can use the stolen information to steal money or redirect benefits.
Tax scams
Scammers often send a prerecorded message, ostensibly from the IRS, informing victims of a supposed issue with their tax returns. Spoofed caller IDs often make it look like the call is from the IRS.
How common is vishing
Credit card fraud in 2015 was a $16 billion business globally, and vishing came in at $1 billion, according to the BBC. Essentially, vishing can occur anytime perpetrators gain access to victims’ personal information.
Cybercriminals deliberately create conditions designed to con unsuspecting victims into willingly handing over valuable personal details, such as full names, addresses, phone numbers, and credit card numbers.
With that information, cybercriminals can initiate numerous fraudulent charges, starting with fake fees for computer repairs or antivirus software, depending on the scam.
Vishing thrives when cybercriminals have a modicum of information about a user’s interests. They take advantage of this knowledge to create a sense of urgency involving a problem in the victim’s life, and then they step in to save the day by offering a simple solution to the problem in soothing tones.
How to recognize vishing
In many cases, callers are self-appointed experts or authorities in their fields. They can masquerade as computer technicians, bankers, police, or even victims themselves.
However, if these callers are legitimate, it shouldn’t be difficult to authenticate their professional affiliation with a simple phone call. If they can’t — or won’t — provide the information necessary to verify their identity, they can’t be trusted. If they do provide contact info, it’s still important to independently verify the legitimacy by using an official public phone number to call the organization in question.
Although it’s tempting to give in under pressure, a frantic sense of urgency is a huge red flag. Users should take a couple of deep breaths, and then write down any information the person provides on the call — without providing any details of their own. Again, they can access third-party sources to find a public phone number to call for verification.
Recipients of these calls also shouldn’t click on links in emails (phishing) or in mobile phone SMS text messages (SMiShing) the person on the phone might send. Any correspondence is likely to contain “hooks” that download malware that could take control of computer systems, steal user credentials, and even spy on users.
If consumers receive unsolicited calls from anyone offering any type of computer service, they shouldn’t attempt to call back using the same phone on which they received the call.
Phone technology now exists that locks a victim’s phone line after hanging up and redirects their next calls to the fraudulent caller. People who believe an issue could be authentic should use another phone to call a publicly acknowledged phone number.
How to stop vishing
People who fall victim to vishing attacks can be well-informed of the risk, but simply caught off-guard. Threat actors change their tactics regularly to try to fool people in new ways. You may pick up a call during a busy day when the last thing you expect is a vishing attack, or the caller might use information that sounds familiar enough to be convincing.
To stay alert and be ready if you get one of these calls, here are some things to remember:
- Pay attention to the caller’s tone. Scammers may also use a discourteous or impatient tone to imply urgency or create fear, unlike the trained employees from the organization they claim to represent.
- Stay calm and take a breath. Vishing attackers create a false sense of urgency by exploiting your emotions. Don’t share any sensitive information over the phone without verifying the caller’s identity. You can look their organization up and call them directly.
- Keep your guard up even if the caller has some of your information. For example, they may have gathered some of your publicly available data from the Internet, like your name, location, or IP address.
- Screen your calls with Caller ID and don’t pick up unknown or suspicious numbers. Wait for the caller to leave you a voice message to decide whether you should call back. Remember, many robocall scams follow a recognizable script.
- Exercise caution and simply hang up if you suspect that it’s a scammer.
Mitigating additional attack vectors
Unlike phishing, vishing is hard to stop using technology. Because vishing takes place over the phone, an organization would need to eavesdrop on all phone calls and find warning signs to detect an attack.
Due to this, organizations should build a threat model and focus on the attacker’s objectives when preventing vishing attacks. For example, a vishing attack targeting an organization may have one of several goals:
- Infecting an employee’s computer with malware
- Compromising an employee’s access credentials
- Gaining access or control over a user’s device
By isolating each of these threat scenarios, the organization can implement solutions that stop attackers in the later stages of the attack—even if the initial vishing call remains undetectable.
Vishing vs. smishing vs. phishing
Vishing, phishing, and smishing are all types of attacks that only differ by the threat vectors they employ. Phishing has been around since at least the early days of e-mail, and both vishing and smishing are combinations of the word “phishing” and the communication method used.
Vishing (voice phishing) occurs through voice communication, and smishing (SMS phishing) uses SMS text messages as an attack medium.
Recommended Articles
- Smishing and Phishing: What Is The Difference?
- What Is A Passphrase? Everything You Need To Know
- Cybersecurity Risk Assessment: What It Is & How To Perform It
- Juice Jacking: What It Is & How To Prevent It
- Spoof Calling: What Is It & How Do You Avoid It?
- SOC Cybersecurity: Security Operations Center (Soc) Explained