Resources

Vishing Defense: Protect Your Information

Vishing is a potent threat. It's basically phishing over voice. It always has been but it's becoming more accessible and prevalent given the recent developments in generative AI. On this page, you'll find everything you need to know about vishing.

Arsen Team
3 minutes read
What is vishing?

What is Vishing?

Vishing, or voice phishing, is a type of phishing scam where attackers use phone calls to deceive individuals into providing personal information, such as credit card numbers, social security numbers, or login credentials.

Unlike email phishing, vishing relies on verbal communication.

142%

Increase

in growth of vishing attacks in Q4 2022

$39.5

Billion

cost of vishing for US citizen in 2022

39%

Attackers

knew victims home addresses before the call

Attackers

knew victims home addresses before the call

39%

knew victims home addresses before the call

39%

Attackers

How Vishing Works

Vishing typically involves scammers calling victims and pretending to be representatives from legitimate organizations, such as banks, government agencies, or tech support.

The goal is to elicit personal or financial information under false pretenses.

Techniques include using authority, creating a sense of urgency, using technical jargon, or exploiting emotions like fear or greed.

Just like any social engineering tactic, it relies on generating an emotional reaction that makes the victim bypass security rules and processes.

Common tactics used in vishing

To execute vishing, attackers combine several tactics.

Caller ID spoofing

Scammers manipulate the caller ID to display a trusted number, such as your bank or a government agency, making the call appear legitimate.

Social Engineering

Attackers use psychological manipulation to exploit human behavior. They may pose as authority figures, create a sense of urgency, or use flattery to gain the victim's trust.

Automated Calls and Voicemails

Automated systems can deliver pre-recorded messages that prompt the recipient to call back a fraudulent number or press a button to speak with a live agent.

For instance, we've seen call bots used to bypass MFA.

Instant messaging services allowing for vocal messages are also used. WhatsApp, Facebook Messenger, and other instant messaging platforms make it possible to send asynchronous vocal messages that can be used as vishing vectors. More recently, voice AI technologies allow attackers to scale or operate in different languages than their own.

Recognizing Vishing Attempts

Like all deception and social engineering attacks, it’s really hard to identify an attack when it’s occurring if you don’t know what to look for and if you’re already reacting emotionally to it.

However, by recognizing red flags and warning signs and having knowledge of a few common scenarios, it’s possible to increase your chances of recognizing vishing attempts.

Red flags and warning signs

There are a few signs that should make you more suspicious in an interaction with a remote third-party:

  • Unsolicited calls that ask for personal or financial information: This should immediately trigger your suspicion and make you apply a few countermeasures right away.
  • Request for immediate action or payment to avoid severe consequences: Urgency is one of the most used manipulation techniques. It often triggers strong emotional reactions that can bypass rational thinking. Anytime you feel pressured, you should take a step back and question the situation.
  • Caller uses high-pressure tactics to elicit quick responses: Aside from urgency, fear and authority are both very popular manipulation tactics that should trigger the same suspicion as urgency on your side.
  • Poor sound quality, heavy accents, or background noise: They are not systematically present, but a large amount of vishing attacks operate from call centers with a lot of background noise and teams of scammers.

Common vishing scenarios

There are a few very common vishing attacks that run continuously, and it’s a good idea to know them to facilitate their identification.

  • Bank or credit card company asking to verify account details or calling for suspicious activity detected on your account: Scammers will call you, pretending to be from your bank, using personal information they might have obtained from other means and will try to make you give access to your account or disclose information that would allow them to access them.
  • Government agency demanding immediate payment for taxes or fines: Using authority and urgency, they will try to make you pay through credit card or online forms during the call.
  • Tech support claiming your computer has a virus and offering help for a fee: They will usually try to make you pay online directly but can also gain illegitimate access to your information system and exploit it later on.

Keep in mind that vishing can be used in many other ways, and these examples are not exhaustive.

Risks and consequences

Vishing can affect both people on a personal level and organization.

Personal risks

  • Identity theft: Scammers use stolen information to open credit accounts or commit other forms of fraud in your name.
  • Financial loss: Direct theft of funds from bank accounts or credit cards.
  • Emotional distress: Victims may experience stress, anxiety, and a sense of violation.

Business risks

  • Data breaches: During a vishing attack, just like any social engineering vector, employees may inadvertently provide access to company systems or data.
  • Financial damage: Companies can suffer significant financial losses from fraud in various forms, enabled by vishing attacks.
  • Reputational harm: Like all successful cyberattacks, a business's reputation can be severely damaged if customers' data is compromised.

Prevention and protection against Vishing

Like all attacks targeting people, you need to consider measures both at the individual level and at the business level.

Measures for Individuals

  • Verify the caller's identity independently by contacting the organization directly using a known number. Attacks can fake the caller ID, but intercepting the call back to the number is much more complicated.
  • Never provide personal information over the phone unless you initiated the call.
  • Be skeptical of unsolicited calls, especially those asking for immediate action.
  • Use call-blocking apps and services to filter unwanted calls.

Measures for Businesses

  • Conduct regular employee training on recognizing and responding to vishing attempts. This implies theoretical training but also live vishing simulations, as you need to train both knowledge and reflexes.
  • Implement strict verification procedures for any request for sensitive information.
  • Use technology solutions, such as caller authentication and voice biometrics, to enhance security. Especially for highly exposed employees, filtering systems and programmatically enforced security procedures for payment and sensitive operations.
  • Encourage a culture of security awareness within the organization: culture will help having a much better process to detect and respond to social engineering attacks overall.

Responding to Vishing Attempts

When a vishing attempt is detected, there are main response levels: immediate actions you need to take right away, and reporting actions that can be taken care of by you, or your incident response team if you have one.

Step 1: Immediate actions

  • Hang up immediately if you suspect a call is fraudulent: The more time you spend with the caller, the more information they can get.
  • Do not engage with the caller or provide any information.
  • Note the phone number and any details about the call: It will help provide key information during the reporting phase.

Step 2: Reporting vishing

  • In an individual context, report the incident to your bank or the relevant organization the caller claimed to represent.
  • In a business context, report the incident to your security team.

Additionally, you can also file a complaint with the relevant protection services of your country and inform your phone service provider to help block future calls.

Book a demo

Learn what makes Arsen the go-to platform to help CISOs, cyber experts, and IT teams protect their organizations against social engineering.

Frenquently Asked Questions

You should hang up immediately and report the call and its information to relevant authorities.

The best way is to call back the organization or person calling you from a known number you have. Not necessarily the one they are calling you from.

Yes, depending on your level of exposition and security requirements, different tools ranging from call blockers to vocal biometric identification can be used.

The 3 most popular vishing scenarios are:

  1. The bank calling you and asking for specific information or access to your accounts
  2. A government agency calling you for tax or fine payment
  3. A fake computer service agencies trying to help you to “fix your computer”

Continue reading

Examples of vishing attacks

Examples of vishing attacks

Thomas Le Coz
Thomas Le Coz

Vishing, or voice phishing, is a form of phone scam where attackers impersonate trusted entities to trick victims into revealing sensitive information. In this article, we'll look at common vishing examples. Understanding these tactics can help you identify and protect...