What is Vishing?
Vishing, or voice phishing, is a type of phishing scam where attackers use phone calls to deceive individuals into providing personal information, such as credit card numbers, social security numbers, or login credentials.
Unlike email phishing, vishing relies on verbal communication.
142%
Increase
in growth of vishing attacks in Q4 2022
$39.5
Billion
cost of vishing for US citizen in 2022
39%
Attackers
knew victims home addresses before the call
Attackers
knew victims home addresses before the call
39%
knew victims home addresses before the call
39%
Attackers
How Vishing Works
Vishing typically involves scammers calling victims and pretending to be representatives from legitimate organizations, such as banks, government agencies, or tech support.
The goal is to elicit personal or financial information under false pretenses.
Techniques include using authority, creating a sense of urgency, using technical jargon, or exploiting emotions like fear or greed.
Just like any social engineering tactic, it relies on generating an emotional reaction that makes the victim bypass security rules and processes.
Common tactics used in vishing
To execute vishing, attackers combine several tactics.
Caller ID spoofing
Scammers manipulate the caller ID to display a trusted number, such as your bank or a government agency, making the call appear legitimate.
Social Engineering
Attackers use psychological manipulation to exploit human behavior. They may pose as authority figures, create a sense of urgency, or use flattery to gain the victim's trust.
Automated Calls and Voicemails
Automated systems can deliver pre-recorded messages that prompt the recipient to call back a fraudulent number or press a button to speak with a live agent.
For instance, we've seen call bots used to bypass MFA.
How to Bypass MFA Using a Callbot
Discover our video to show how a callbot can be used to bypass MFA, generally following a credential leak or credential harvesting phishing.
Watch our video
Instant messaging services allowing for vocal messages are also used. WhatsApp, Facebook Messenger, and other instant messaging platforms make it possible to send asynchronous vocal messages that can be used as vishing vectors. More recently, voice AI technologies allow attackers to scale or operate in different languages than their own.
Recognizing Vishing Attempts
Like all deception and social engineering attacks, it’s really hard to identify an attack when it’s occurring if you don’t know what to look for and if you’re already reacting emotionally to it.
However, by recognizing red flags and warning signs and having knowledge of a few common scenarios, it’s possible to increase your chances of recognizing vishing attempts.
Red flags and warning signs
There are a few signs that should make you more suspicious in an interaction with a remote third-party:
- Unsolicited calls that ask for personal or financial information: This should immediately trigger your suspicion and make you apply a few countermeasures right away.
- Request for immediate action or payment to avoid severe consequences: Urgency is one of the most used manipulation techniques. It often triggers strong emotional reactions that can bypass rational thinking. Anytime you feel pressured, you should take a step back and question the situation.
- Caller uses high-pressure tactics to elicit quick responses: Aside from urgency, fear and authority are both very popular manipulation tactics that should trigger the same suspicion as urgency on your side.
- Poor sound quality, heavy accents, or background noise: They are not systematically present, but a large amount of vishing attacks operate from call centers with a lot of background noise and teams of scammers.
Common vishing scenarios
There are a few very common vishing attacks that run continuously, and it’s a good idea to know them to facilitate their identification.
- Bank or credit card company asking to verify account details or calling for suspicious activity detected on your account: Scammers will call you, pretending to be from your bank, using personal information they might have obtained from other means and will try to make you give access to your account or disclose information that would allow them to access them.
- Government agency demanding immediate payment for taxes or fines: Using authority and urgency, they will try to make you pay through credit card or online forms during the call.
- Tech support claiming your computer has a virus and offering help for a fee: They will usually try to make you pay online directly but can also gain illegitimate access to your information system and exploit it later on.
Keep in mind that vishing can be used in many other ways, and these examples are not exhaustive.
Risks and consequences
Vishing can affect both people on a personal level and organization.
Personal risks
- Identity theft: Scammers use stolen information to open credit accounts or commit other forms of fraud in your name.
- Financial loss: Direct theft of funds from bank accounts or credit cards.
- Emotional distress: Victims may experience stress, anxiety, and a sense of violation.
Business risks
- Data breaches: During a vishing attack, just like any social engineering vector, employees may inadvertently provide access to company systems or data.
- Financial damage: Companies can suffer significant financial losses from fraud in various forms, enabled by vishing attacks.
- Reputational harm: Like all successful cyberattacks, a business's reputation can be severely damaged if customers' data is compromised.
Prevention and protection against Vishing
Like all attacks targeting people, you need to consider measures both at the individual level and at the business level.
Measures for Individuals
- Verify the caller's identity independently by contacting the organization directly using a known number. Attacks can fake the caller ID, but intercepting the call back to the number is much more complicated.
- Never provide personal information over the phone unless you initiated the call.
- Be skeptical of unsolicited calls, especially those asking for immediate action.
- Use call-blocking apps and services to filter unwanted calls.
Measures for Businesses
- Conduct regular employee training on recognizing and responding to vishing attempts. This implies theoretical training but also live simulations, as you need to train both knowledge and reflexes.
- Implement strict verification procedures for any request for sensitive information.
- Use technology solutions, such as caller authentication and voice biometrics, to enhance security. Especially for highly exposed employees, filtering systems and programmatically enforced security procedures for payment and sensitive operations.
- Encourage a culture of security awareness within the organization: culture will help having a much better process to detect and respond to social engineering attacks overall.
Responding to Vishing Attempts
When a vishing attempt is detected, there are main response levels: immediate actions you need to take right away, and reporting actions that can be taken care of by you, or your incident response team if you have one.
Step 1: Immediate actions
- Hang up immediately if you suspect a call is fraudulent: The more time you spend with the caller, the more information they can get.
- Do not engage with the caller or provide any information.
- Note the phone number and any details about the call: It will help provide key information during the reporting phase.
Step 2: Reporting vishing
- In an individual context, report the incident to your bank or the relevant organization the caller claimed to represent.
- In a business context, report the incident to your security team.
Additionally, you can also file a complaint with the relevant protection services of your country and inform your phone service provider to help block future calls.
