What Is Vishing?
Vishing is a cybercrime combining voice calls with phishing attacks. So-called “voice phishing” uses multiple tools and strategies, such as social engineering, voice-altering software, text messages, and fraudulent phone numbers to communicate with, and extract information, from potential victims.
For example, a threat actor might call an innocent bank customer and ask for their bank account information. The visher uses voice-masking technology and a fraudulent phone number, along with the right words and phrases, to trick the bank customer into thinking the request is legitimate. Once they have the necessary information, the criminal steals money from the victim’s bank account, leaving them none the wiser.
If left unchecked, vishing can cause immense harm to both individuals and organizations alike. You need to know how to protect your business against vishing, plus avoid vishing attacks for yourself.
Vishing vs. Phishing
Vishing is a type of phishing attack; however, most phishing attacks are email-based. For example, a cybercriminal might send an email loaded with a Trojan virus or malware virus to a business employee. When the employee opens the email, the virus automatically downloads onto their computer.
Vishing uses a phone as the main vector for the attack.
Vishing vs. Smishing
“Smishing” also utilizes a phone, but is SMS-based phishing, meaning it uses texts instead of voice. While the phone is the main vector for this attack, the specifics of the execution can take many forms.
A simple kind of vishing attack would be a caller posing as an IRS representative, asking for bank account information from an unsuspecting victim. A more complex version involves the caller posing as an IT employee at an organization, asking the other employee to download malware or hand over credentials. In some cases, the caller will pose as a legitimate organization, such as a bank, to trick a large number of victims at once.
4 Types of Vishing Techniques
Depending on their goals and available technology, cyber criminals may use many different vishing techniques to steal information or money or to extract certain actions from their victims.
Wardialing involves software that collects and calls specific area codes. The software sends messages that involve local organizations, like banks or police departments, to trick potential victims. When a victim answers the call, the voice software urges them to provide their name and credit card details or bank account information.
2. Voice-over internet protocol tools (VoIP)
These tools create fake phone numbers and mask an attacker’s real identity. They then call people masquerading as local businesses, such as businesses with 1-800 telephone number prefixes, or government organizations, like local police departments.
3. ID Spoofing
This technique involves the bad actor hiding behind a fake phone number and spoofing a legitimate caller ID. For instance, they might pretend to be a government official or tax department representative. Or they may list their name as “Unknown.”
4. The Dumper Dive
Vishing criminals might literally dumpster dive to get valid phone numbers and other information, like bank account or credit card information. Armed with this information, they may try to complete fraudulent transactions or harass victims.
Vishing Against Organizations
It’s important to note that vishing scams are not always a single criminal vs. a single potential victim scenario. Cyber criminals can use vishing as the first part of an attack, or the initial access point for a larger attack against an organization.
In these situations, the bad actor will pose as someone the organization often works with, like a contractor, or even an IT specialist asking for computer access, credentials, or giving information to download software. Newer employees or those that are often on the phone are at a higher risk for these kinds of attacks.
5 Common Vishing Scams
Cyber criminals often implement several common scams or conversational schemes to get vishing victims to hand over their personal info:
1. The caller talks about a compromised bank or credit card account, asking victims to share more information to “fix” the problem or verify their identity
2. The caller poses as a representative from the Medicare or Social Security offices to get personal information or convince victims to make deposits/pay fees
3. The caller poses as an IRS representative, telling victims that they need to call back immediately and, if they don’t, a warrant will be issued for their arrest
4. The caller poses as a member of the organization’s IT department and asks the caller for sensitive information like credentials or information from certain files.
5. The caller poses as a known entity or individual the organization does business with and asks for sensitive information, credentials, or even a transfer of funds for a fraudulent invoice.
Generally, vishing scams include a threat and a request that the victim calls a number back, downloads a piece of software, or hands over personal information via a text message.
Notable Vishing Examples
Vishing attacks have become more prevalent in recent years. For example, the Australian Cyber Security Centre had a major vishing wave in 2020. Fake text messages offered victims fraudulent guidelines about how they could get tested for COVID-19. Unfortunately, the messages included links to websites that downloaded malware onto victim devices.
Similarly, 2020 saw nearly 60 million Americans lose money and personal information to both phone and text scams. The total monetary damage was in excess of $30 billion. In this wave of attacks, vishing bad actors offered supposedly free COVID testing kits, but in actuality gained bank account information from their victims, which they then used to perform identity theft or to steal money.
How To Avoid Vishing
Even though vishing can be tough to spot and frustrating to deal with, there are ways to prevent vishing from affecting you or your organization:
- Consider joining the National Do Not Call Registry. When you add your phone number to this registry, telemarketers won’t send you phone calls. Thus, if you receive a call from a 1-800 number, you know it is not legitimate. Joining the registry is free.
- Always hang up if you don’t recognize a caller or if you suspect a phone call is a vishing scam. If the caller is legitimate, they can always call you back.
- Don’t respond to any prompts, vocal or otherwise, when you suspect you may be engaged in a scam call.
- If you’re at work, always hang up and then call the “source” back. That will tell you right away if the caller was from IT or a contractor or who they said they were.
- Always try to verify a caller’s identity, especially in the first seconds of a new conversation.
How Arctic Wolf Can Help
Arctic Wolf® Managed Detection and Response. This solution helps organizations identify and respond to unusual behavior within their environment. In the case of a vishing attack, it can alert the organization to a user maybe accessing unusual programs or installing a program into the environment — stopping the attack in its tracks.
Arctic Wolf Managed Security Awareness®. Users are the targets of vishing attacks, so employing proper training becomes a critical line of defense. Utilizing micro-learning, engaging examples, and modern techniques, this solution helps empower employees to detect attack attempts like vishing.
Arctic Wolf Incident Response. If a further attack occurs because of vishing, responding quickly and effectively makes all the difference. Incident Response works to stop the attack, restore your organization, and offer remediation and investigations.