‘Vishing’, or ‘phishing over the phone’ is on the rise and in this article, we look at what vishing is, and the techniques used. We show examples and explain how to guard against it.
What Is Vishing?
The word Vishing is a combination of ‘voice’ and ‘phishing’ and describes the criminal process of using internet telephone service (VoIP) calls to deceive victims into divulging personal and payment data.
Vishing scams to homes often use recorded voice messages e.g. claiming to be from banks and government agencies. This is to make victims respond in the first instance.
The technology used by scammers is now such that voice simulation may even be used in more sophisticated attacks on big businesses.
Vishing Vs Phishing
Phishing attacks can take different forms and can employ different combinations, such emails, bogus websites, and phone calls. Vishing focuses on using VoIP to complete the scam. This can include using a ‘spoofed’ phone number of a real business or company to add the appearance of authenticity.
What Is Smishing?
Smishing uses SMS text messages rather than phone calls to deceive victims into responding.
Victims are selected using large call lists where little or nothing is known about the target (‘shotgun’ attacks), or where some information is known from sources such as personal data (this data comes from website data breaches and interception data gathered from phishing and other social engineering attacks). Vishing attacks where some important data is already known by the attacker are referred to as ‘spear vishing’ attacks.
The motivation for attackers is, of course, easy money or data which leads to the acquisition of more money. Furthermore, that data can be of use in other attacks on various sites and provide access to a person’s financial and personal data. In the U.S., for example, if attackers already have the first few digits of a Social Security Number, gaining the remaining numbers can give them access to many other sources of funds and data.
The motivation attackers present to the target to make them part with their data is the promise of bogus rewards e.g. prizes and taking advantage of amazing limited offers. The need to avoid a negative outcomes, and the need to be helpful/contribute positively to society e.g. in scams whereby a victim is asked to help police/fraud investigations.
In most cases, fraudsters use emotional manipulation, deception techniques and the illusion of limited time (act now) as ways to gain access to personal data. The internet telephone service (VoIP) calls also provide them with anonymity and flexibility that they need to target their attacks.
The Scale of the Problem
The scale of the vishing threat is now huge. For example:
- First Orion’s 2018 Scam Call Trends and Projections Report showed that nearly 30% of incoming mobile calls were spam calls.
- The “Quarterly Threat Intelligence Report: Risk and Resilience Insights” report from Mimecast researchers warned that in 2020, “voicemail will feature more prominently” in attacks and showed vishing as becoming a likely daily occurrence in 2020.
- Proofpoint’s 2020 State of the Phish report (worldwide survey) found that 25% of workers could correctly define the term.
Examples of Vishing
Popular examples of vishing calls include:
- Calls from banks or credit card companies with messages asking the victim to call a certain number to reset their password.
- Unsolicited offers for credit and loans.
- Exaggerated (almost too good to be true) investment opportunities.
- Bogus charitable requests for urgent causes and recent disasters.
- Extended car warranty calls.
- Calls claiming to be from fraud officers to (ironically) help people who have recently fallen victim to scams and attacks, asking people for their help in operations to catch fraudsters e.g. by transferring funds to a specified account.
- Calls claiming to be from government agencies e.g. tax office calls offering rebates or warning of an investigation.
- Tech support calls to fix bogus problems with computers. This method can also use popup windows on a victim’s computer, often planted by malware. it issues a bogus warning from the OS about a technical problem.
- Travel and holiday company calls relating to (bogus) holiday bookings and cancellations.
- Calls relating to insurance e.g. for weddings, holidays, and flight cancellations.
- One ring and cut’ (Wangiri – Japanese) calls where criminals trick victims into calling premium-rate numbers. For example, the fraudster’s system calls a large number of random phone numbers with each ringing once. If someone calls back (replying to a missed call) they are directed to a premium rate number.
There are many examples of vishing, here are have three of the scams we have seen in recent years:
Our first example was in May 2018, in the North-East, vishing calls over a three-week period resulted in the theft of £1Million. The attack was by fraudsters pretending to be from their victim’s bank and said they were investigating fraudulent activity by staff within the organisation. They asked victims to move large sums money into foreign accounts for safe-keeping. Additionally they requested that the victim did not report the call for fear of jeopardising the investigation.
Secondly, in September 2019 AI voice simulation software was used to impersonate the voice of a UK-based energy company CEO. It was able to make the company transfer £200,000 into the account of the fraudsters.
Finally in October 2019, Police in Derbyshire warned that scammers had called victims claiming to be “tech support representatives” from Microsoft. The scammers told people there was something wrong with their computer and offered to fix the problem by remote access.
Government Fights Back
Earlier this month (May 2020), Her Majesty’s Revenue and Customs (HMRC) asked UK Internet Service Providers (ISPs) to remove 292 websites exploiting the coronavirus outbreak. These websites appeared since the national lockdown began on March 23.
How To Guard Against Vishing
Ways that you and your business can guard against vishing attacks include:
- Don’t trust caller ID to be 100 per cent accurate, numbers can be faked.
- Don’t answer phone calls to unknown numbers. Block numbers of spam callers and register your phone number with the Telephone Preference Services (TPS).
- Report any suspicious spam calls to the Information Commissioners Office (ICO).
- Beware of unsolicited alleged calls from banks, credit card companies or government agencies. Particularly those asking to you to call certain numbers and/or change password details. The real organisations and agencies would not make calls of this kind.
- Include phishing, vishing, smishing and other variants with your security awareness training for employees.
- Avoid using a gift card or a wire/direct money transfer. Make sure that there is a policy and process in place for any money transfers that all employees must adhere to. Even if the request appears to come from someone within the company.
- Don’t give in to pressure; remember that you can ditch any call at any time. This gives you the option of looking up the number of the company/agency/organisation. With banks the number may be on the back of your card. Check who claims to be calling you and call them back yourself.
The predictions from security researchers and commentators are that vishing, along with phishing and smishing are set to increase this year. Their success could be helped by the COVID-19 outbreak as people wait and search for information about financial and health matters, details about government payments and help, and details about cancellations e.g. holidays and flights.
Companies and organisations need to educate their staff about the threat, while individuals need to be vigilant and cautious. Be wary about any unsolicited phone calls, particularly those that offer rewards. Additionally calls that create panic or warn of dire consequences should also be viewed with the same caution.
Back to Tech News
Lastly, if you would like to discuss your technology requirements please: