What is Vishing?
Voice phishing or vishing is telephone-based criminal fraud that uses social engineering to gain access to private financial and personal information. It is referred to as vishing, a portmanteau or mashup of voice and phishing.
Vishing attacks usually take the form of phone calls or voice messages. Cyber attackers can often trick victims by purporting to be from trusted entities such as reputable companies to induce them to reveal personal information, such as credit card numbers and bank details.
Vishing, sometimes called cyber vishing, is a form of phishing that uses a traditional telephone or voice over internet protocol (VoIP) call with either an actual person talking, a text or other vishing tools. Like phishing, vishing is a type of cyber attack that uses any type of message that fraudulently represents itself as being from a trusted source with the goal of stealing information or money.
During a typical vishing attack, a scammer might place hundreds of calls using voice over IP technology and a war dialer, spoofing a bank’s caller ID to make the call seem to originate from a trusted source. Or, in a more involved vishing call, a scammer might attempt to use social engineering to induce the victim to share financial information and personal information, such as passwords and account numbers, or convince them to download “software” that is actually malware.
Traditionally, landline telephone services have been trustworthy. Each line is associated with a specific user, the person or business who pays the bill, and terminates in a known physical location. And even mobile phones are at least associated with known users.
However, vishing attackers can now use automated systems (IVR), caller ID spoofing, and other VoIP features to make monitoring, tracing, and blocking their activities difficult. And deepfake audio can even fool many listeners into believing they are hearing a trusted source.
How Does Vishing Work?
A common vishing tactic is for the cyber attacker to configure a war dialer to call a list of phone numbers stolen from an institution or phone numbers in a given region. This allows them to succeed based on volume alone, in many cases.
Typically, an automated recording plays when the victim answers the call, usually generated by a text-to-speech synthesizer or similar vishing tool. The “recording” tells the victim about unusual activity on their bank account, or that their credit card has been frozen, for example. The message then instructs the victim to call the institution immediately, but at a specific phone number—typically the same number spoofed in the victim’s caller ID.
The victim calls the number, and again hears automated instructions—probably what they expect from a bank. They enter a bank account number or credit card number on the keypad, and possibly additional personal details, such as expiration date, security Personal Identification Number (PIN), and date of birth.
This is the simplest form of vishing, but sometimes vishing scams are more sophisticated. Human fraudsters may persuade victims by posing as employees of legitimate entities such as ISPs, banks, tech support, or others and attempt to obtain personal information. They might also convince the victim to take any number of actions, like transferring money, changing a password, downloading malware, or some other harmful activity.
Vishing attackers may also call victims, and direct them to call a government agency, bank, or other trusted entity. However, although the victim hangs up, the vishing caller does not, and the line stays open as the victim attempts to call out again. In this way, the fraudster hijacks the next call, spoofing a dial tone and impersonating the trusted entity.
To avoid this issue, consumers can hang up and then use a completely different phone to call a known number for the entity to confirm the problem.
What is a Vishing Attack?
A vishing attack is really any phishing attack launched using automated voice messages and other vishing tools over the phone. It is serving the same purpose as a phishing link in an email or text, but using the psychological power that phone lines and voice have to bestow trust on a transaction.
What is the Difference Between Phishing, Smishing and Vishing?
Phishing is the art of tricking people into revealing personal information such as usernames, passwords, and credit card numbers. Phishing is an example of social engineering—using deception to manipulate people into divulging sensitive information for fraudulent reasons.
Phishing attackers usually approach victims via email spoofing and then direct users to a fake website that matches the look and feel of the legitimate site so victims will enter personal information there. Attackers can trick users with communications that claim to come from trusted parties such as auction sites, colleagues, banks, social media websites, managers/executives at work, IT administrators, or online payment processors.
(Some think of phishing as an email version of vishing. However, although this is technically analogous, since phishing came first, this is not strictly accurate.)
Essentially, vishing is phishing via phone. Vishing is an outgrowth of VoIP spam, also called SPIT or spam over telephony, just as phishing is a subcategory of spam.
With phishing and vishing attacks, the goal is essentially the same. The difference is the use of voice, or the idea that humans trust other humans more, to make the attack. This is the social engineering angle vishing uses and the main difference between phishing and vishing.
Smishing, a portmanteau of “SMS” and “phishing,” is simply the same type of phishing attack that uses SMS text messages as the attack vector instead of emails or voice calls.
The difference between phishing, vishing, and smishing, then, is delivery method, and to some extent target. Some victims are more receptive to certain social engineering methods than others; for example, some age groups trust voice calls much more than text. Successful smishing, phishing, vishing, and other cyber attackers make smart use of these differences.
What is spear vishing, and how does it compare to spear phishing? Unlike mass vishing with war dialers, spear vishing attacks specifically target and reach out to known victims. Like spear phishing, spear vishing demands that the attacker have specific data about the target.
For example, a spear vishing attacker might call already knowing a target’s name, occupation, and address, making it much easier to believe they are someone who should have access to an account number or PIN.
This requires more preparation and work than, for example, war dialing a list of targets with a robocall that impersonates Medicare or the IRS. But high-value targets in particular are sometimes more cyber savvy and educated, making simpler vishing scams useless.
Vishing Prevention Benefits
According to the FBI 2019 Internet Crime Report, vishing, phishing, and smishing scams cost victims $57 million in losses. Victims of these kinds of scams are more numerous than other kinds of cyber fraud.
Unfortunately, the vishing attack is just the beginning. When cyber attackers trick victims into sharing their name, Social Security number, date of birth, credit card number, bank account details, and other sensitive information, a series of crimes with many perpetrators, often over years, begins. That victim’s identity is often never fully restored. Fraudsters can commit account takeovers, credit card fraud, and identity theft using those details.
The benefits of vishing protection are simple: ending that cycle.
Types of Vishing
There are several types of vishing examples, but all build on emotion using social engineering to some extent.
The first form targets victims with fear or panic. In this example of vishing, a call, either automated or live, claims a credit card account has been frozen or a bank account has been compromised. It tells you to call another number to reset your password or resolve the issue.
All the caller really wants is information, and they hope to get that by causing you to panic and make poor decisions. You call the number and leave sensitive information such as account numbers for a recording, or punch in numbers for an automated system, and the sensitive data is exposed.
Another form of vishing targets victims with excitement or desire. For example, this vishing caller says the victim has won a prize or is eligible for a giveaway—but there is always a catch. To claim the prize or redeem the giveaway, the victim has to pay for something, and the attacker usually lets them do that right over the phone with a credit card. Convenient for the attacker, but no one else.
Most Common Examples of Vishing
A huge number of fraud complaints the Federal Trade Commission (FTC) receives concern telephone contacts and vishing. Some of the most common vishing examples are as follows.
Interference with bank or credit card account
This very common vishing scam involves using a prerecorded message or a person to trick victims into providing account details, PINs, or other login credentials to resolve an issue with their bank account, a recent payment, or a credit card.
Tech support scams
This growing problem sees vishers fool victims into giving up their personal information or downloading malware by impersonating legitimate technical support companies. Scammers pose as big-name companies. The malware sends pop-up messages about the security of the victim’s computer and provides additional phony tech support numbers, for example.
Unsolicited loan or investment offers
Vishing scammers will impersonate legitimate lenders and investors calling about debt forgiveness, cancellation of medical debt, or related issues. The victim will be told to pay one fee now to access the offer.
Social Security or Medicare scam
According to the Federal Trade Commission, phone calls remain the top technique scammers use to reach older adults, and their favored type of scam tends to include posing as Social Security Administration agents and Medicare employees—often during open enrollment season, depending on the scam.
IRS tax scam
These scams typically start with pre-recorded messages from spoofed caller IDs that announce faults with a victim’s tax return and penalties under law without action—including a warrant issuing for their arrest. It is a broad attack vector since almost everyone files taxes, so a blunt robocall instrument works well for attackers.
In all of these cases, vishing attacks have the same basic goals: convince victims to reveal personal information to enable further attacks and financial gain.
Signs of Vishing: How to Prevent Vishing Attacks
There are several tell-tale signs of a vishing scam:
- Caller is from a federal agency. If the caller says they represent Medicare, the IRS, law enforcement, or SSA (the Social Security Administration), this is probably vishing unless you reach out to them. None of these agencies ever reach out to consumers to request personal or financial information by text message, email, or social media.
- Caller has an offer. Be skeptical of anyone who calls you with an offer of any kind.
- Call is urgent. Vishing scammers use the power of social engineering and either fear and panic or excitement and desire to trap victims. None of those emotions are good for making decisions, and all of them are fueled by urgency. Threats of account freezes, arrest warrants, and permanent loss of unforgettable prizes should all make you suspicious. Hang up and investigate—on a different device.
- Caller wants personal information. Whatever their reasons are, if a caller asks you to confirm any personal details, refuse. They will use what they already have to trick you into revealing the rest, so recognize this pattern.
Beyond understanding how to identify vishing, there are other things you can do to protect yourself and your business.
- Join the National Do Not Call Registry (although this doesn’t stop criminals).
- Don’t answer all calls. Caller IDs can be spoofed, so just review messages and call back only people you actually know. If it’s a business you use, call them directly.
- Hang up. If it might be a vishing call, just hang up. A real client or vendor will understand your reasoning later if you made an error. Social engineering attacks rely on social niceties and the embarrassment of victims, so don’t be afraid to end a vishing attack in progress.
- Do not respond to voice-automated prompts or press buttons. This includes the voice prompts. Sometimes vishing calls are identifying potential targets or recording victim voices for later use in navigating account-linked phone menus that are themselves voice-automated.
- Verify caller identities. Do not rely on Caller ID, which is easily spoofed. Do not use call back numbers. Use official public phone numbers.
- Do not provide sensitive information. If a caller asks for sensitive information, refuse if their identity is not verified.
- Create policies. Businesses should create policies governing how to verify caller identities and what kinds of information can be revealed, when, and by and to whom. Employees should know who to bring each request to and what the process is when an unusual request is made. Baking vishing protection into company policy makes verifying identity and protecting against cyber attacks part of company culture.
- Employ zero trust. The zero trust IT security model requires that the identity of every device and user be strictly verified, whether or not they are inside of the network perimeter, to grant access to private network resources, including any requested information. Establish and disseminate an approved list of acceptable requesters.
Use strong authentication. To qualify as strong authentication, a system must: Not rely solely on shared secrets/symmetric keys at any point, including passwords, codes, and recovery questions. It must also robustly repel credential phishing and impersonation. No matter how much user education about vishing or social engineering takes place—some attacks will succeed. Strong authentication assumes lapses are inevitable and prevents them.
Does Yubico Offer Vishing Protection?
It pays to understand what vishing is and remain savvy about it, but education is not enough. Social engineering attacks are increasingly sophisticated, and some will succeed. Vulnerabilities will continue to be an issue as long as user action is required, and there is an onus on users to identify man-in-the-middle and phishing attacks, including vishing attacks.
Basic two-factor authentication (2FA), recovery questions, and passwords are all insufficient to protect against social engineering attacks. In the face of phishing attacks—including vishing calls—SIM swapping, and mobile malware, these methods are proven to fall short.
Strong multi-factor authentication at scale across a variety of devices, business-critical applications, and environments is the key to improved security and better user experience. And user experience is central to easier enterprise-level deployment, in contrast to complex point solutions that only protect a niche set of users.
Often, victims of modern phishing, vishing, and related cyber attacks never know there was a problem. They reveal personal information orally, via a keypad, or by clicking on a phishing link, and may fail to detect the issue. This data loss seeds further problems such as identity theft and vishing fraud in the future.
Yubico stops these problems. A registered YubiKey “talks” to your device and verifies identities of devices, links, and sites. The YubiKey and device can see that even a phishing link or site with a valid SSL security certificate is bogus and will refuse to authenticate.
Find out more about Yubico’s vishing solution here.