Vishing

What Is Vishing?

Vishing is a cybercrime combining voice calls with phishing attacks. So-called “voice phishing” uses multiple tools and strategies, such as social engineering, voice-altering software, text messages, and fraudulent phone numbers to communicate with, and extract information, from potential victims.

For example, a threat actor might call an innocent bank customer and ask for their bank account information. The visher uses voice-masking technology and a fraudulent phone number, along with the right words and phrases, to trick the bank customer into thinking the request is legitimate. Once they have the necessary information, the criminal steals money from the victim’s bank account, leaving them none the wiser.

If left unchecked, vishing can cause immense harm to both individuals and organisations alike. You need to know how to protect your business against vishing, plus avoid vishing attacks for yourself.

Vishing vs. Phishing

Vishing is a type of phishing attack; however, most phishing attacks are email-based. For example, a cybercriminal might send an email loaded with a Trojan virus or malware virus to a business employee. When the employee opens the email, the virus automatically downloads onto their computer.

Vishing uses a phone as the main vector for the attack.

Vishing vs. Smishing

“Smishing” also utilises a phone, but is SMS-based phishing, meaning it uses texts instead of voice. While the phone is the main vector for this attack, the specifics of the execution can take many forms.

A simple kind of vishing attack would be a caller posing as an IRS representative, asking for bank account information from an unsuspecting victim. A more complex version involves the caller posing as an IT employee at an organization, asking the other employee to download malware or hand over credentials. In some cases, the caller will pose as a legitimate organisation, such as a bank, to trick a large number of victims at once.

4 Types of Vishing Techniques

Depending on their goals and available technology, cyber criminals may use many different vishing techniques to steal information or money or to extract certain actions from their victims.

1. The “Wardialng” Technique

This technique involves software that collects and calls specific area codes. The software sends messages that involve local organisations, like banks or police departments, to trick potential victims. When a victim answers the call, the voice software urges them to provide their name and credit card details or bank account information.

2. Voice-over internet protocol tools (VoIP)

These tools create fake phone numbers and mask an attacker’s real identity. They then call people masquerading as local businesses, such as businesses with 1-800 telephone number prefixes, or government organisations, like local police departments.

3. ID Spoofing

This technique involves the bad actor hiding behind a fake phone number and spoofing a legitimate caller ID. For instance, they might pretend to be a government official or tax department representative. Or they may list their name as “Unknown.”

4. The Dumper Dive

Vishing criminals might literally dumpster dive to get valid phone numbers and other information, like bank account or credit card information. Armed with this information, they may try to complete fraudulent transactions or harass victims.

Vishing Against Organizations

It’s important to note that vishing scams are not always a single criminal vs. a single potential victim scenario. Cyber criminals can use vishing as the first part of an attack, or the initial access point for a larger attack against an organisation.

In these situations, the bad actor will pose as someone the organisation often works with, like a contractor, or even an IT specialist asking for computer access, credentials, or giving information to download software. Newer employees or those that are often on the phone are at a higher risk for these kinds of attacks.

What Are Common Vishing Scams?

Cyber criminals often implement several common scams or conversational schemes to get vishing victims to hand over their personal info:

The caller talks about a compromised bank or credit card account, asking victims to share more information to “fix” the problem or verify their identity
The caller poses as a representative from the Medicare or Social Security offices to get personal information or convince victims to make deposits/pay fees
The caller poses as an IRS representative, telling victims that they need to call back immediately and, if they don’t, a warrant will be issued for their arrest
The caller poses as a member of the organisation’s IT department and asks the caller for sensitive information like credentials or information from certain files.
The caller poses as a known entity or individual the organisation does business with and asks for sensitive information, credentials, or even a transfer of funds for a fraudulent invoice.

Generally, vishing scams include a threat and a request that the victim calls a number back, downloads a piece of software, or hands over personal information via a text message.

Examples of Vishing Attacks

Vishing attacks have become more prevalent in recent years. For example, the Australian Cyber Security Centre had a major vishing wave in 2020. Fake text messages offered victims fraudulent guidelines about how they could get tested for COVID-19. Unfortunately, the messages included links to websites that downloaded malware onto victim devices.

Similarly, 2020 saw nearly 60 million Americans lose money and personal information to both phone and text scams. The total monetary damage was in excess of $30 billion. In this wave of attacks, vishing bad actors offered supposedly free COVID testing kits, but in actuality gained bank account information from their victims, which they then used to perform identity theft or to steal money.

How to Prevent Vishing

Even though vishing can be tough to spot and frustrating to deal with, there are ways to prevent vishing from affecting you or your organisation:

Consider joining the National Do Not Call Registry. When you add your phone number to this registry, telemarketers won’t send you phone calls. Thus, if you receive a call from a 1-800 number, you know it is not legitimate. Joining the registry is free.
Always hang up if you don’t recognise a caller or if you suspect a phone call is a vishing scam. If the caller is legitimate, they can always call you back.
Don’t respond to any prompts, vocal or otherwise, when you suspect you may be engaged in a scam call.
If you’re at work, always hang up and then call the “source” back. That will tell you right away if the caller was from IT or a contractor or who they said they were.
Always try to verify a caller’s identity, especially in the first seconds of a new conversation.

How Arctic Wolf Can Help

Arctic Wolf® Managed Detection and Response. This solution helps organisations identify and respond to unusual behavior within their environment. In the case of a vishing attack, it can alert the organisation to a user maybe accessing unusual programs or installing a program into the environment — stopping the attack in its tracks.

Arctic Wolf Managed Security Awareness®. Users are the targets of vishing attacks, so employing proper training becomes a critical line of defense. Utilising micro-learning, engaging examples, and modern techniques, this solution helps empower employees to detect attack attempts like vishing.

Arctic Wolf Incident Response. If a further attack occurs because of vishing, responding quickly and effectively makes all the difference. Incident Response works to stop the attack, restore your organisation, and offer remediation and investigations.

Arctic Wolf

Arctic Wolf provides your team with 24x7 coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.

© 2024 Arctic Wolf Networks Inc. All Rights Reserved.
Privacy Notice	Terms of Use	Cookie Policy	Customer Portal Policy	Accessibility Statement	Sustainability Statement	Information Security	Cookies Settings

SOLUTIONS

INDUSTRIES

Quickly detect, respond, and recover from advanced threats.

Detect and respond to advanced threats targeting your cloud infrastructure and applications.

Discover, assess, and harden your environment against digital risks.

Explore, harden, and simplify your cloud environment against misconfiguration vulnerabilities.

Engage and prepare employees to recognise and neutralise social engineering attacks.

Recover quickly from cyber attacks and breaches, from threat containment to business restoration.

HOW IT WORKS

Delivering security operations outcomes.

Collect, enrich, analyse.

Ecosystem integrations and technology partnerships.

Tailored security expertise and guided risk mitigation.

Security experts proactively protecting you 24×7.

Meet some of the security experts working alongside you and your team.

TRENDING RESOURCES

NIS2 aims to make the EU as a whole more resilient to cyber threats and strengthen cooperation between Member States on cybersecurity.

Oracle Red Bull Racing trusts Arctic Wolf to secure its expansive IT environment and the mission-critical proprietary data it contains.

The elite security researchers, data scientists, and security developers of Arctic Wolf Labs share forward-thinking insights along with practical guidance you can apply to protect your organisation.

SECURITY BULLETINS

CVE-2024-20353 and CVE-2024-20359: Cisco ASA and FTD Vulnerabilities Exploited by State-Sponsored Threat Actor in Espionage Campaign “ArcaneDoor”

Cisco Duo Third-Party Compromise

Critical Authentication Bypass Vulnerability in Delinea Secret Server Disclosed Along With PoC

COMPANY