If you’ve ever received a phone call about your car’s extended warranty, then you’ve gotten a vishing phone call. A February 2021 Business Insider survey reports that 46% of Americans receive daily spam calls on their cell phones
What is vishing? The term stands for voice phishing, which is a type of phishing that bad guys use to scam or trick people into providing sensitive personal or payment information using primarily phone calls and voicemails. It’s all about getting people to trust the caller and believe that they’re doing the right thing by providing that info or doing something they normally wouldn’t.
Vishing is a cybercrime method that, unfortunately, isn’t going out of style anytime soon. In January 2021, the FBI reported that cybercriminals used voice phishing phone calls (in combination with a phishing website) to trick employees at several companies into giving up their login credentials.
But what is vishing in a more technical sense? How does vishing work to get you to spill your personal info? We’ll explore several voice phishing methods and will share how to protect yourself and your organization
What Is Vishing? A Voice Phishing Definition
Vishing is a cybercrime method that involves using phone calls to obtain the personal details of unsuspecting individuals. Sometimes called voice phishing, cybercriminals often use vishing because it’s an effective way to convince their victims to:
- disclose their sensitive personal information,
- send or otherwise disclose sensitive or confidential company information, and
- make fraudulent payments via wire transfers and pre-paid gift card codes.
Vishing Relies on Social Engineering Tactics
Social engineering is a category of psychological tricks and manipulation tactics that cybercriminals use to get people to do something that normally sends up red flags. It’s about using tactics that get people to ignore the warning signs and ignore their instincts.
Social engineers rely on techniques like using language that conveys urgency or evokes feelings of fear or curiosity to get targets to comply. These tactics often involve a bad guy pretending to be someone in a position of authority, such as a government agent, the target’s bank, or the police. In some cases, the cybercriminal will present themselves as someone who’s likeable, trustworthy, or empathetic to gain a target’s trust.
Once successful at getting what they seek, vishers then use this information to carry out other types of cybercrimes.
In early 2021, the FBI’s Internet Crime Complaint Center (IC3) released their Internet Crime Report 2020, in which they state that social engineering crimes, including vishing, had cost victims more than $54 million.
Now that we can answer the question “what is vishing?” Let’s explore some of the different types of voice phishing techniques.
Common Vishing Techniques Cybercriminals Use
There are several vishing techniques, but these are the four common ones used by cybercriminals:
SMS Text Messaging
Some vishing scams start out with a cybercriminal sending text messages to random or targeted phone numbers. They can use apps, websites or even emails to do this. These scam messages contain enticing or threatening messages and phone numbers to convince recipients to call immediately. Once they get the target on the phone, the bad guys can use social engineering to get them to provide personal info or make a payment.
In this approach, cybercriminals use autodialing software and bots to call thousands of numbers, usually within a specific area code, with a pre-recorded message. Think of the common scams relating to your “car’s extended warranty” or your social security benefits.
They may use this approach to impersonate everyone from government entities to your bank. The recorded message usually says that they have important information to discuss but that the target has to share their personal details to confirm their identities before they can do so. To avoid this type of cyber attacks, check the unknown number via a phone number search tool.
Caller ID & Phone Number Spoofing
Spoofing is a method of making one thing appear like something different. In the case of vishing phone calls, cybercriminal hide behind fake caller IDs. They may choose to display their caller ID as “Unknown” or may try to impersonate some government authority such as your local police department or federal agents.
But this isn’t the only way bad guys hide who’s really calling. Using voice over IP (VoIP), cybercriminals can easily hide behind false phone numbers. They may choose to use a 1-800 prefix or display legitimate businesses’ phone numbers. They also use SMS spoofing as well to hide the origins of their phony text messages as well.
These tactics make their ruses seem more legitimate in case their targets try searching for the phone number online.
Yes, this approach is exactly what it sounds like but, thankfully, it’s not as common as other vishing techniques that we’ve talked about. This process involves cybercriminals literally digging through businesses’ dumpsters to look for documents containing individuals’ and organizations’ sensitive information. They can use this information for pre-texting and as fuel for their social engineering scams to make them more convincing.
Now that we know what vishing is and some of the techniques bad guys use, let’s explore how vishing works and some examples of vishing attacks.
How Does Vishing Work?
The way vishing works is that a threat actor reaches out to people using some type of scam to get them to call back and provide some type of sensitive information. (This could be personal information they can use to carry out other crimes or payment info that provides a quick payday.)
They’ll use many different tactics and techniques to try to make contact with potential victims. Most vishing attacks are done via live phone calls and voicemails or by using robocalls. Some vishing calls are combinations of the two methods — you might receive a robocall that transfers you to a live person when you answer the phone. However, some vishing attacks also involve the use of emails, SMS text messages, or fraudulent websites.
Some vishing attacks involve contacting random victims while others are highly targeted and focus on specific individuals. Vishing attacks target everyone from private individuals to key personnel within different organizations. The approach depends on what the attackers are trying to accomplish and how much time and energy they want to invest in these activities.
For more targeted and convincing vishing attacks, bad guys will carefully plan a lot of specific elements, including:
- who they choose to impersonate (someone who helps them gain a sense of trust or represents an authority — a company executive, bank, government representative, etc.).
- what contextual information they provide (they want you to believe what they so so that you’ll do what they ask and provide info).
- language and words they choose to use (they use urgent or exciting language that evokes emotional responses).
Once the bad guys “hook” their targets and get the info they seek, they can then use this information to:
- drain victims’ bank accounts,
- carry out identity theft,
- make fraudulent purchases, or
- carry out other scams.
Examples of Common Vishing Scams
The examples below show some of the scams that cybercriminals use to get targets to trust them and do something they shouldn’t.
Government or Law Enforcement Impersonation Scams
Here, the caller pretends to be a government agency representative such as someone from the FBI, IRS, or Social Security Administration. They may say they need to discuss an important issue with you but first need to verify your identity. If you don’t comply, they’ll start making threats, saying they’ll arrest you or cancel any government benefits you receive.
Medicaid and Medicare Scams
Nothing is sacred or too sensitive a topic for cybercriminals to not exploit. In these types of vishing scams, threat actors pose as Medicaid or Medicare agents and try to steal the victims’ personal ID numbers or other sensitive information. They may say that they’re mailing out a new benefits card and need to confirm the victim’s identity, or that there’s an issue with the victim’s account and they require the victim’s personal information to resolve it.
Unfortunately, this scam was already popular prior to the COVID-19 pandemic. However, the scam picked up even more during that time as well as when the vaccines started to roll out.
Fake Tech Support Services
The caller pretends to be a technical support representative from companies like Microsoft, Amazon or Apple. They’ll say they noticed irregularities in your account or discovered malware on your device, but in order to help you fix these issues, they first need you to:
- make a payment over the phone to pay for their services. They may ask for your bank account information, credit card number, or even say they require a pre-paid gift card.
- go to a specific website where you can log in to view information or download software. This website may be a phishing site that allows them to steal your login credentials or a malicious website that auto-downloads malware onto your device.
- provide your email address so they can send you a “software update.” This is really a malicious file that infects your device.
Bank or Credit Card Company Impersonation Scams
This is self-explanatory. It involves the cybercriminal posing as a representative of the victim’s bank or credit card company. The visher requests victims’ bank details to help carry out their bank account management. Once they receive the victim’s banking account details, they use that information to transfer funds from the victim’s bank account to one they control.
They also promise victims enticing credit card rates and limits, luring the victim into falling for their lies and sharing their information as well.
How to Protect Yourself from Vishing Attacks
Asides from frequent security awareness training and symposium, here are other ways to protect yourself from vishing attacks:
- Never disclose or confirm any personal information over the phone in an unsolicited call.
- Register all your cell phone numbers with the “Do Not Call” registry.
- Try to have a mobile plan that provides caller ID details.
- Use a phone number search tool.
- Don’t respond to random emails or SMS text messages directing you to call an unknown number.
- Study your caller very well by paying attention to every detail of the conversation. If they ask for personal information or something about the call seems suspicious, then follow the next tip mentioned below.
- If unsure of the caller’s legitimacy, hang up and call the organization they claim to represent back using an official phone number.
- If someone calls claiming they’re a company executive and makes an unusual or urgent request, inform them you’re hanging up and will call back on an official line to confirm these details.
Vishing becomes difficult for cybercriminals when individuals are properly enlightened on different types of vishing attacks, the standard techniques cybercriminals use, and how to effectively protect themselves against possible vishing attacks. Although this article adequately explains these tenets, a good read makes you immune to vishing attacks.