‘Vishing’, or ‘phishing over the phone’ is on the rise and in this article, we look at vishing techniques and examples, and how to prevent them.
The word Vishing is a combination of ‘voice’ and ‘phishing’ and describes the criminal process of using internet telephone service (VoIP) calls to deceive victims into divulging personal and payment data.
Vishing scams to homes often use recorded voice messages e.g. claiming to be from banks and government agencies to make victims respond in the first instance.
The technology used by scammers is now such that voice simulation may even be used in more sophisticated attacks on big businesses.
Phishing attacks can take different forms and can employ different combinations, such emails, bogus websites, and phone calls. Vishing focuses on using VoIP to complete the scam and this can include using a ‘spoofed’ phone number of a real business or company to add the appearance of authenticity.
Smishing uses SMS text messages rather than phone calls to deceive victims into responding.
Victims are selected using large call lists where little or nothing is known about the target (‘shotgun’ attacks), or where some information is known from sources such as personal data that has come from website data breaches and perhaps from data interception data gathered from phishing and other social engineering attacks. Vishing attacks where some important data is already known by the attacker are referred to as ‘spear vishing’ attacks.
The motivation for attackers is, of course, easy money or data which leads to the acquisition of more money, and perhaps use in further attacks on other sites which can give access to a person’s financial and personal data. In the U.S., for example, if attackers already have the first few digits of a Social Security Number, gaining the remaining numbers can give them access to many other sources of funds and data.
The motivation presented by the attacker to the target to make them part with their data is the promise of bogus rewards e.g. prizes and taking advantage of amazing limited offers, the need to avoid a negative outcome, and the need to be helpful/contribute positively to society e.g. in scams whereby a victim is asked to help police/fraud investigations.
In most cases, fraudsters use emotional manipulation, deception techniques and the illusion of limited time (act now) as ways to gain access to personal data. The internet telephone service (VoIP) calls also provide them with anonymity and flexibility that they need to target their attacks.
The scale of the vishing threat is now huge. For example:
– First Orion’s 2018 Scam Call Trends and Projections Report showed that nearly 30% of incoming mobile calls were spam calls.
– The “Quarterly Threat Intelligence Report: Risk and Resilience Insights” report from Mimecast researchers warned that in 2020, “voicemail will feature more prominently” in attacks and showed vishing as becoming a likely daily occurrence in 2020.
– Proofpoint’s 2020 State of the Phish report (worldwide survey) found that 25% of workers could correctly define the term.
Popular examples of vishing calls include:
– Calls from banks or credit card companies with messages asking the victim to call a certain number to reset their password.
– Unsolicited offers for credit and loans.
– Exaggerated (almost too good to be true) investment opportunities.
– Bogus charitable requests for urgent causes and recent disasters.
– Calls about extended car warranties.
– Calls claiming to be from fraud officers to (ironically) help people who have recently fallen victim to scams and attacks, asking people for their help in operations to catch fraudsters e.g. by transferring funds to a specified account.
– Calls claiming to be from government agencies e.g. tax office calls offering rebates or warning of an investigation.
– Tech support calls to fix bogus problems with computers. This method can also use popup windows on a victim’s computer, often planted by malware, to issue a bogus warning from the OS about a technical problem.
– Travel and holiday company calls relating to (bogus) holiday bookings and cancellations.
– Calls relating to insurance e.g. for weddings, holidays, and flight cancellations.
– ‘One ring and cut’ (Wangiri – Japanese) calls where criminals trick victims into calling premium-rate numbers. For example, the fraudster’s system calls a large number of random phone numbers with each ringing once. If someone calls back (replying to a missed call) they are directed to a premium rate number.
– In May 2018, in the North-East, vishing calls over a three-week period resulted in the theft of £1Million by fraudsters pretending to be from their victim’s bank saying they were investigating fraudulent activity by staff within the organisation and asking victims to move large sums money into foreign accounts for safe-keeping. This was coupled with a request that the victim did not report the call for fear of jeopardising the investigation.
– In September 2019 AI voice simulation software was used to impersonate the voice of a UK-based energy company CEO and to thereby make the company transfer £200,000 into the account of the fraudsters.
– In October 2019, Police in Derbyshire warned that scammers had called victims claiming to be “tech support representatives” from Microsoft, telling people there was something wrong with their computer and offering to fix the problem by remote access.
Earlier this month (May 2020), Her Majesty’s Revenue and Customs (HMRC) asked UK Internet Service Providers (ISPs) to remove 292 websites exploiting the coronavirus outbreak since the national lockdown began on March 23.
Ways that you and your business can guard against vishing attacks include:
– Don’t trust caller ID to be 100 per cent accurate, numbers can be faked.
– Don’t answer phone calls to unknown numbers, block numbers of spam callers, register your phone number with the Telephone Preference Services (TPS) and report any suspicious spam calls to the Information Commissioners Office (ICO).
– Beware of unsolicited alleged calls from banks, credit card companies or government agencies, particularly those asking to you to call certain numbers and/or change password details. The real organisations and agencies would not make calls of this kind.
– Include phishing, vishing, smishing and other variants with your security awareness training for employees.
– Avoid using a gift card or a wire/direct money transfer, and make sure that there is a policy and process in place for any money transfers that all employees must adhere to, even if the request appears to come from someone within the company.
– Don’t give in to pressure; remember that you can ditch any call at any time, and give yourself the option of looking up the number of the company/agency/organisation that claims to be calling you and calling them back yourself to check.
The predictions from security researchers and commentators are that vishing, along with phishing and smishing are set to increase this year, and their success could be helped by the COVID-19 outbreak as people wait and search for information about financial and health matters, details about government payments and help, and details about cancellations e.g. holidays and flights. Companies and organisations need to educate their staff about the threat, while businesses and individuals need to be vigilant and cautious about any unsolicited phone calls, particularly those that offer rewards, create panic or warn of dire consequences, and those that apply pressure.