You are probably familiar with phishing, which is a general category of cyber attacks and a specific type of attack. Now it’s time to meet his evil brother: Vishing. Vishing is one of the methods of fraud using social engineering, which consists in the fact that attackers steal bank data or extort personal information using a telephone connection. At the heart of phishing is social engineering, which involves disguising fraudsters as a certain organization – a bank, service provider, government organization, IT service employee and creating a sense of urgency or fear, which helps to reduce thinking time and, accordingly, avoid suspicion on the part of the victim. From this article, you will learn how vishing works and learn how to protect yourself and your organization from it. Because, for example, in the first six months of 2022, mobile users received a staggering 100 billion fraudulent calls, resulting in $40 billion in financial losses. In August 2020, the Cyber Security and Infrastructure Agency (CISA) and the Federal Bureau of Investigation (FBI) issued warnings that vishing attacks were targeting remote workers.
The same study shows that vishing attacks have now overtaken Business Email Compromise (BEC) in the threat landscape as the second most reported threat. BEC fraud is a subset of phishing, a category of scams, and cyberattacks that attackers use to obtain sensitive information. Virtually all types of phishing scams involve social engineering tactics in one form or another. Although fraud schemes are becoming more and more sophisticated, it is still possible to reduce the risks of falling prey to fraudsters. And you will also learn about this from this article.
Vishing is deciphered as voice + phishing = vishing. Basically, vishing is a form of phishing. In this case, the cybercriminal uses a voice call to trick the victim into revealing private or confidential information. This maneuver is aimed at obtaining confidential information that they can sell or use to commit further crimes. While phishing uses email messages to trick the victim into clicking on a malicious or fake link, and smishing uses text messages for the same purpose, vishing uses a much older (and common) tool: phone calls. This is why this type of attack is also called voice phishing.
In some cases, cybercriminals may even use a combination of attack methods:
1. Cybercriminals could launch an attack by sending an urgent phishing email telling you that the service for your favorite app has been automatically upgraded. The email goes on to say that you will have to call a specific phone number to receive a refund.
2. You call the number and cybercriminals will use all sorts of social engineering tactics to get you to make a payment to a fake bank account or even download remote desktop software to your device to give them access to it. These social engineering tactics involve coercion and/or intimidation to get you to do what they say.
! it all started with phishing and turned into a vishing scam!
The attacker gathers enough information about the victim and/or their organization by checking them out on social media channels such as YouTube and LinkedIn…The attacker then calls the victim pretending to be a trusted person, such as a bank or government agent. To get the target to reveal sensitive information or to do something they would not normally do, the criminal uses social engineering techniques.
Fear;
Panic;
Urgency;
Curiosity;
Unexpectedness;
Trust and/or other emotions.
Last but not least, the attacker also takes advantage of the fact that a person talking on the phone is more likely to do something without thinking about what they are doing. An attacker could gain access to a victim’s bank account, credit cards, or an organization’s entire internal network.
Automatic calls. In this case, they will use IP telephony (VoIP) technology, asking the victim to confirm personal information by simply pressing certain keys on the phone.
Hybrid vishing. Also called callback phishing, the attacker sends the victim an email with a fake emergency phone number.
Vishing based on artificial intelligence (i.e. “deepfakes”). Fraudsters use commercially available AI software to create the voice of a CEO or impersonator.
Let’s take a look at some examples of the most common voice phishing scams and the costs involved:
Tech Support Voice Phishing Scam;
Bank or credit card fraud. Card Vishing Scam;
Internal Revenue Service (IRS). Tax Voice Phishing Scam;
Health care and social security sector.
The attacker pretends to be a tech support agent from a well-known IT company like Microsoft or Apple and reports suspicious activity on your account or software. If you fall for this, you may be prompted to install a malware update that will compromise your machine and lead to many consequences. How often does this happen? Judge for yourself: the latest FBI Internet Crime Report shows that vishing tech support caused more than $347 million in losses in 2021. That’s bad, but it could have been a lot worse if the FBI’s Asset Recovery Team (RAT) hadn’t been brought in after complaints filed by the Internet Complaint Center (IC3). For example, in October 2021, RAT stopped an unauthorized wire transfer of $53,000 that was the result of a tech support scam.
In this scenario, the cybercriminal poses as an employee of a bank or other financial institution. In some cases, attackers can use pre-recorded messages to trick you into providing your account information, credentials, or PIN. They can then use the information to confirm a fraudulent transaction. The latest report by the U.K. Finance reveals that more than 95,000 successful authorized push payment (APP) scams were detected in the first six months of 2022. Victims of this bank or credit card fraud are tricked into approving payments that go directly to the cybercriminals’ bank account. A total loss of over £249m is over $282m.
In this scenario, the attacker contacts the victim via a recorded message. The message explains that due to a problem with the target’s tax return, they should immediately contact the fake number provided to correct the situation. (Of course, this is only so that the attacker can call the victim to trick them into getting money or personal information.) The message usually contains a threatening warning (such as an arrest warrant, significant fines or penalties, etc.) to add more drama and fear into the situation to elicit an immediate response from the target.
In September 2020, attackers called Spectrum Health patients pretending to be employees of the Michigan health system to steal their protected health information (PHI). The attackers spoofed Spectrum Health’s caller ID to make the call look legitimate. Once the victim was connected, they asked for PHI and a member number. This is a typical example of vishing in the healthcare sector. Vishing attacks are on the rise, according to an analysis note from the Healthcare Cybersecurity Coordinating Center (HC3). Scammers just love your PHI and Social Security information. They love these types of data so much that four of the top five challenges identified by First Orion are related to the health and social care sector.
“Hey, you’re one million followers! Congratulations! You won a new Tesla! To claim your prize, all you need to do is provide us with some personal information…” Sorry to disappoint you, but there is no contest and you won’t win anything. This was just a trick to get you to cooperate and provide information. This is an example of a call- phishing, in which a scammer tries to trick you into providing sensitive information in exchange for a possible prize.Telemarketing scams, where a scammer tries to steal personal information or money by luring the victim with fake lottery prizes or good deals, also fall into this category .Americans are known to lose an average of $40 billion a year falling victim to such telemarketing scams.
How to really prevent voice phishing?
Avoid robocalls. You answered the phone and realized you weren’t talking to a human, so hang up and go about your business.
Do not respond to automated voice prompts. Press one, press three and say yes to speak to an operator – I hate those auto prompts. An attacker can record your voice responses to use for fraudulent activities (including impersonating you to authenticate to your legitimate accounts).
Never share confidential information over the phone. Have you received a call from someone pretending to be an IRS agent? Did he ask you for your tax number or any other personal information? Remember that government agencies, banks, or credit card companies will never ask for your personal information over the phone. So, if something smells fishy—I mean, vichy—then trust your gut and hang up.
But that’s not all. There are things you can do to protect your business before you even get the call. Teach your employees how to recognize them. Sharing this article with them can be the first step. Make sure you have policies in place that outline the caller identity verification process and what information can be disclosed and to whom.
Use strong authentication methods. If a voice phishing scam is successful, using strong authentication methods will add another layer of security to help you prevent or minimize harm. There are several options that you can go for. Among them are two- or multi-factor authentication (MFA).
A digital signature for your emails. Digitally signing your emails lets you add a verifiable digital signature to your messages. This will help you prove that the email is legitimate (sent by you) and authentic (unaltered). That way, if one of your employees receives an unsigned message, they’ll probably think twice before calling the dodgy number in it.
Do not allow unsigned software downloads. Do you remember an example of a tech support scam? The victim was asked to download a software update infected with malware. Often times, attackers don’t bother to add a code signing certificate to their malware (which shows users and their operating systems that the program is authentic and hasn’t changed since it was signed). Because it costs money and requires validation by a generally trusted CA that adheres to strict standards.
Phishing, smishing, vishing. Criminals try to do everything to get what they want and use almost any means for this. Among all these types of cyber attacks, Vishing attacks are the most difficult to avoid. Because they not only tap into emotions like fear and panic, but also take advantage of the fact that you don’t have enough time to think after talking on the phone. Now you’ve learned some preventative measures (and a few key warning flags) that should be ringing in your ears from now on to help protect you against such attacks:
Subscriber number is unknown.
The subscriber requests confidential or personal information.
The caller claims to work in a government agency or other position.
Next time you get a call, pause and think twice before picking up the phone. This pause of a few seconds can save you from becoming the next victim of vishing.