Vishing, also known as voice phishing, is a type of cyberattack wherein malicious actors use phone calls in an attempt to collect confidential information from their targets. In this type of cybercrime, attackers use clever social engineering techniques to persuade victims to take action, which results in sharing sensitive data and financial details, including account numbers and login information.
They use threats and convincing language to make users feel as if they have no choice but to give away the requested information. The “visher” will frequently claim to be contacting the victim on behalf of law enforcement, or their bank, informing them that their account has been compromised. In some instances, it might even offer to assist targets with software installation. Keep in mind that it’s probably malware.
Although it is an attack that uses the voice (as implied by the mashup of “voice phishing”), it doesn’t mean that communication is limited to phone calls.
This type of cyberattack frequently begins with the sending of a text message. This is the reason why vishing and smishing are frequently considered to be the same. Despite having similar objectives, the methods employed in each case differ in some ways. But let’s take a quick look at the differences between these attacks.
The Phishing-Smishing-Vishing Family
The word “phishing” was first used in the 1990s to refer to the actions that scam artists employed as “lures” to get to their victims in cyberspace. The term is still used to describe scams that use social engineering to attempt to deceive people into falling into a trap.
Social engineering is the act of using people’s naturally sociable character in order to trick or manipulate them into exposing private or confidential information that may be used in fraudulent activities, spreading malware, or giving access to restricted systems.
As cybercrime evolved, the concepts “smishing” and “vishing” have popped up, which can be categorized as forms of phishing. When it comes to smishing attacks, fraudsters send SMSs to their targets in an effort to persuade them to click on a harmful link or respond to the message with personal information. The entire process consists solely of text exchange.
Vishing involves voice contact at some point during the attack. The purpose of the initial message is only to lure a potential victim into calling a number so the attackers can proceed with the attack or to verify that the number actually belongs to someone.
Stages of Vishing
There is so much more than just contacting random numbers for a vishing attack to be successful. Read on and discover the four phases of vishing.
Phase 1: The research
The threat actors begin the attacks by learning more about their targets. During the first phase of the vishing attack, the intruders can send phishing emails, hoping they will hear back from the targets, who will be willing to provide their contact information. By using advanced software, they can call numerous individuals using a number with the same area code as the victims.
Phase 2: The actual call
If the victim has already been duped by a phishing email, they will probably not be wary of the person on the phone. Depending on how clever the vishing strategy is, the target is expecting a call. And hackers are aware of the fact that calls from numbers with a local area code are more likely to be picked up.
Phase 3: The requests
Once the fraudster manages to get in touch with someone over the phone, the next step is to appeal to the target’s basic instincts of trust, fear, greed, and need to help. After using all or just some of these social engineering tactics to assure the victims they are doing the right thing, the attacker may ask them to:
Provide bank account information and credit card details
Give away email addresses
Send private work-related documentation
Offer information about their company
Phase 4: The win
But this is not all. The malicious actors can now carry out additional crimes as they managed to get all that information. For instance, they might empty the victim’s bank account, steal their identity, and make unapproved transactions using the victim’s credit card. In addition, they can email the victim’s coworkers to fool someone into divulging sensitive corporate data.
Common Lures in Vishing Attacks
The credit card account scam
Whether it’s an actual person or a prerecorded message, you’ll be informed there’s something wrong with your account or the payment you made. To fix the issue, you might be urged to give away your username and password or required to make a new payment. Rather than providing your personal details, end the conversation and contact your bank on the number you will find on its legitimate website.
Unrequested credit or investment offers
Fraudsters will contact you with offers that sound too good to be true. They may claim that you can pay your debts in full, make a fortune on one small investment, or have all of your student loans forgiven in one go. Usually, they’ll ask you to take action right away and make a small payment. Don’t let yourself be fooled! Genuine lenders and investors will never make such offers or call you unexpectedly.
Social Security or Medicare scam
In some cases, the attackers might say they call on behalf of the Social Security Administration and threaten to suspend or cancel the target’s Social Security number. They might also pretend to be Medicare representatives and ask the victim for financial details, including account information or Medicare number. Depending on how successful the attack is, the scammer may either snatch the victim’s money or use their Medicare benefits fraudulently. The Federal Trade Commission reports that phone calls are the No. 1 technique malicious actors use to contact senior citizens.
The IRS tax vishing scam
Although there are many forms of this scam, you will usually get a prerecorded message. It informs you that there is a problem with your tax return and that a warrant will be issued for your arrest if you don’t return the call. Con artists frequently combine this with a spoofed caller ID that makes it seem like the call is from the IRS.
Prize vishing scams
Everybody wants a chance to win a free prize, and malicious actors take advantage of this desire to fool unwary victims into divulging personal data. The scammer will say that your information is necessary to process the gift and make sure you’ll receive it on time.
How to Stay Protected?
Make sure you follow the recommendations below in order to avoid falling victim to a vishing attack:
Never confirm or give away sensitive information over the phone. Keep in mind that neither your bank nor any government agency will ever contact you and request your personal details.
Pay close attention to the person on the phone. Listen to the language they use, and think twice before saying anything. Again, never divulge any private details. Never confirm your address. Also, be suspicious of threats and urgent requests.
Don’t pick up the phone if you don’t recognize the number. It may be a habit to answer every call, but you should just let them go to voicemail. You might not know who is calling because caller IDs can be spoofed. Determine whether to call the person back after carefully listening to your messages.
If you decide to answer the call, avoid providing information about your identity, your employer, or your physical address.
Ask questions. If the caller is offering you a free prize or attempting to sell you something, request proof of who they are and where they work. Before providing your information, verify any information provided by the caller. Hang up if they refuse to give you these details.
Register your phone number with the Do Not Call Registry. It costs nothing to add your home or mobile phone number to this registry, which informs telemarketers that you do not wish to receive their calls. If you do get a call from a telemarketing firm, it’s likely a vishing attack because most reputable companies respect this list.
Think back to the information you learned about social engineering attacks during your training sessions. Watch out for language that exploits basic human emotions such as fear, greed, trust, and the desire to help others.
It’s important to be aware that your manager or HR will never call you at home and request that you send money, sensitive data, or documents via email from your personal account.
Never reply to emails or messages on social media that require your phone number. This is how a targeted phishing/vishing attack starts. Notify the IT/support team of these emails and messages.
What to Do If You Got Tricked?
If you’ve given your banking details to someone you later suspect is a scammer, the first thing to do is to contact your bank. Call your credit card company, financial institution, or Medicare contact and ask about canceling suspicious transactions and blocking potential charges.
For extra security against unauthorized use of your current accounts, you might have to change your account numbers.
Vishing attacks are intended to deceive you, but now you can recognize the warning signs before you answer the phone. Be vigilant and avoid falling victim to cybercriminals who attempt to intercept personal information over the phone.