If you want someone’s personal information, just call them up and ask for it. It takes some skill, of course, but it often works. Friendly persuasion and scare tactics go a long way. Just think of the smooth-talking telemarketers and threatening debt collectors who routinely persuade people to give out their financial information over the phone.
The same skills are also used by social engineers to victimize consumers and compromise organizations. When you pick up the phone, you never know for sure who you’re talking to—or whether you’re being targeted using voice phishing, also known as “vishing.”
Vishing comes in several varieties. Essentially, it’s a type of fraud that uses the telephone system and social engineering techniques to obtain private or confidential information from people—often financial information. Vishing can be used to scam individual consumers or as part of more sophisticated attacks against organizations.
While less common than email-based phishing attacks, vishing poses a significant threat. Wombat Security’s 2018 State of the Phish™ Report includes the results from quarterly surveys of InfoSec professionals. We found that 45% of respondents had experienced phishing via phone calls (vishing) and SMS/text messaging (smishing) in 2017.
Consumer financial fraud
A 2017 report from Financial Fraud Action UK observed a 2% rise across all fraud loss types in 2016, and attributes much of it to an increase in impersonation and deception scams.
“In an impersonation and deception scam, a criminal approaches a customer purporting to be a legitimate organization. These scams typically involve a phone call, text message or email, in which the criminal claims to be from a trusted organization such as a bank, the police, a utility company or a government department.”
Many vishing calls begin with the scammer impersonating a bank employee, telling the victim that there’s been suspicious activity or another problem with his or her bank account. To resolve this issue, they’ll need to call a toll-free number and speak to a representative. This call will be directed to the scammer, who will take down the victim’s account information and later use it to transfer money out of the account. The scammers may persuade the victims themselves to transfer the funds, as in a recent case in Scotland.
Some vishing attacks start with a phishing email that prompts the victim to call a number to resolve an issue. Others begin with a voicemail message with similar instructions. Other scams call the individual directly and attempt to capture the confidential information right then and there.
A new vishing attack that is currently targeting Korean bank clients uses a variation of Fakebank malware. Once installed on an Android device, this program can intercept calls a user tries to make to a bank, redirecting the call to a scammer who impersonates a bank employee.
Vishing and organizations
Individuals and their personal finances aren’t the only targets of vishing. Social engineers can use vishing to build relationships with key employees and take advantage of the human tendency to be open and helpful, all in order to steal data, access confidential networks, and run other scams.
Vishing is often just one element in a Business Email Compromise (BEC) attack, according to an article on DarkReading.com. BEC attacks often begin with gathering information through online searches, vishing, and phishing. A social engineer can lure unsuspecting employees into giving out seemingly innocuous information, such as details about the organization’s structure or an executive’s travel plans. This information could then be used to impersonate a superior and convince an employee to wire funds to a fraudulent account or divulge access credentials.
These types of vishing attacks could be under-reported because people don’t necessarily know when they’ve been vished. It’s not always easy to see the connection between giving out seemingly harmless information and a larger BEC attack.
Tips for avoiding vishing attacks
The simplest advice for staying safe on the phone is, “When in doubt, hang up.” Here are some additional tips to help you avoid vishing attacks:
- Think before you speak. Scammers want you to act—and give out information—before you think things through. The person on the end of the line may sound sincere and trustworthy, but that doesn’t mean they’re legitimate.
- Have your guard up with automated calls. Be particularly skeptical of scare tactics, prizes, and special offers.
- Be aware that caller ID can be easily spoofed by scammers.
- Verify phone numbers before calling back. If you’re given a toll-free number to call, look up the correct number yourself, either online or using the back of your credit card, for example.
- Use a different phone to call back. Attackers have ways to keep the line open even if you hang up and try to call your bank’s correct number. You think you’ve reached the bank, but you’re still connected to the scammer.
For access to additional security awareness best practices and advice, visit the Wombat Security blog.
