Vishing (voice + phishing) or phone phishing is a malicious practice that aims to get victims to reveal sensitive information or perform compromising actions.
We are accustomed to receiving phone calls from companies for advertising purposes. Among these calls, some are malicious and aim to extort personal information such as your data, passwords, or banking details.
This attack can occur directly through a voice call or through instant messaging. It is possible for the hacker to leave a voicemail urging you to call back quickly or perform a compromising action.
According to a report by Proofpoint, based on more than 600 IT professionals from 7 different countries, 83% of the companies surveyed have experienced vishing in the past.
How does voice phishing work?
The first step of vishing is reconnaissance: the hacker must find a pretext to contact the victim. The hacker goes through a phase called OSINT - the collection of information from open sources, publicly available - in order to be consistent in their role and imagine a credible pretext for their attack.
The second step is the phone call: the exchange between the victim and the attacker happens at this stage. The attacker will use the gathered information to create a climate of trust and obtain information from the victim.
Finally, the cash-in stage occurs: the hacker compromises the activity of the company. They extort data, install ransomware, or transfer money from the company externally.
Vishing relies on manipulation techniques, social engineering. Thus, the hacker uses numerous psychological principles, from authority to urgency, as well as trust, to manipulate the victim.
A well-known form of vishing is the CEO scam. In this case, the malicious individual uses authority so that the target does not follow security protocols and decides to follow the orders of their "superior".
The hacker can exploit an urgent pretext with the same objective of bypassing the security process. And that's not all: there are many other manipulation principles that hackers can use. We only present a sample of known techniques here.
Why does it work?
Victims generally lower their guard during a vishing attack because the attacker uses one or more emotional triggers without their knowledge. Compared to email phishing, having a conversation and responding in real-time increases the possibility of manipulation. The hacker establishes trust in the exchange and pretends there is an emergency to make the victim act emotionally instead of thinking rationally about the requested actions.
The hacker usually has collected multiple pieces of information and may have hacked into the victim's email account, which they use to certify their authenticity.
Some vishing cases exploit technologies such as deep fakes or use voice impersonators to increase the credibility of the attack and the ability to impersonate someone else.
It is difficult for an employee to refuse the orders of a hierarchical superior, especially when the exchange takes place over a phone call.
Usually, the attacker mentions urgency so that the victim does not follow the usual security protocols. Faced with a "VIP," the victim usually does not dare to oppose and ensures to comply with various requests.
It is usually after the call ends that the victim checks the identity of the person they just spoke to. Unfortunately, if they have performed the requested actions, it is too late to go back.
Examples of vishing attacks
Gilbert Chikli, a French hacker, was sentenced to 7 years in prison after diverting 8 million euros from 33 banks and companies. Chikli used the CEO scam to request money transfers. He impersonated the identity of a company president or a DGSE agent fighting terrorism.
Thus setting the foundation for vishing CEO scams, Chikli managed to extort a total of 60 million euros. The victims were still able to recover 52.8 million euros.
In 2015, a group of scammers impersonated the identity of Mr. Le Drian, the Minister of Foreign Affairs. They asked several NGOs and companies to financially support France to free hostages or fight against terrorism.
The modus operandi used was always the same: impersonating an authority figure over the phone. The fake Le Drian used a silicone mask resembling the minister's face to deceive the victims during video conferences. In the end, the group of hackers stole several tens of millions of euros through more than 150 attempted frauds.
During a DEFCON conference on hacking in Las Vegas, Kevin Roose from Future Technology asked Chris Hadnagy to show him a cyber attack. He wanted to witness a simple but effective social engineering attack on his personal information, a perfect demonstration of vishing.
The vishing of the future
Vishing techniques are evolving every day to carry out unprecedented attacks that surprise their victims. Voice cloning - which allows the impersonation of someone's voice - is a technique that is gradually developing. It is possible to transform one's own voice to imitate that of an individual whose vocal recording has been obtained.
With the progress of artificial intelligence, it is possible to create a synthetic voice. It imitates the voice of an individual based on a short recording of a few seconds. Another company has experienced a similar attack. Due to an artificial voice imitating that of an executive, another executive transferred €220,000 to a foreign account.
The CEO of the company received a call from an executive of the parent company, wanting to make a transfer of €220,000 to a Hungarian account. The victim claimed to have recognized the voice of their superior, including their intonations and accent. The hacker then used the executive's actual email account, which had been previously hacked, to send the information related to the transfer.
The next day, the CEO received a second call announcing the repayment of the transfer. After a few hours, the CEO received a third call, and since the repayment did not appear, the fraudster requested a second transfer. However, the CEO noticed that the call was coming from Austria. Additionally, the account number to which the hacker requested a transfer was different from the first one. The CEO decided to hang up and contact their superior through alternative means, realizing that they had been a victim of vishing.
Protecting yourself from vishing
Here are 6 practices to know to defend yourself against vishing:
- Have strict procedures for sensitive operations and prohibit any deviation, regardless of the reason or urgency presented.
- Verify the identity of your interlocutor through a second contact channel before taking critical actions. Avoid using email, which can be compromised.
- If there is doubt about the individual's identity, terminate the conversation. Then contact the relevant service to authenticate the number.
- Take notes of all the information that is provided to you and send this report to the company's security service.
- Be extra vigilant if your interlocutor mentions urgency, money transfers, or emotional reasons.
- Deploy voice biometrics solutions. For example, Whispeak authenticates your callers based on their voiceprint.
Like many manipulation attacks, vishing is only possible if the human element is not sufficiently trained. It is therefore important to educate your employees about the possibilities of vishing and its consequences.
Awareness also comes through practice, ensuring that your employees are prepared to face such attacks. Conduct tests, practical simulations to gain visibility on the behavior of your employees who can be targeted by these attacks.