What is Vishing?

Vishing is a type of social engineering attack that happens over the phone. Callers try to extract your personally identifying details to use in perpetrating another crime. The goal is often to gain access to your bank account. In vishing attacks, callers rely on social norms and expectations to convince you to interact. They pretend to be people from the government, the police, the tax department, or your bank. When a trusted authority calls you, you might be nervous, curious, or feel a real duty to respond. Fraudsters know this and exploit these feelings to get you to engage.

Vishing perpetrators often use threats and psychological tactics over the phone to convince you you're in trouble. They'll often say that providing your personal information is the only thing that can get you out of a jam. In another common vishing tactic, attackers leave threatening voicemails. They might say you'll be arrested, your bank account is in danger, or your social media accounts will be blocked if you don't call back immediately. When emotions are high, you may feel like you have no choice but to comply. Vishing attacks are getting more sophisticated with deepfake technology. As AI gets more powerful by the day, criminals can use easily accessible software programs to clone voices.

The Cyber Security Hub

Sign up now to access engaging, shareable cyber security awareness content that’s available in multiple formats.

ACCESS THE HUB

Often, cyber criminals will tailor their vishing calls and messages to the time of the year or a trending news story.

For example, during tax season, criminals will leave messages pretending to be from the IRS. During the COVID-19 pandemic, cyber criminals called people promising vaccines and testing kits if they provided their bank account information and mailing address.

What is the primary purpose of vishing attacks?

Cyber criminals use vishing to steal valuable personal data. It could be personally identifying information, bank account numbers, login details, secret passwords, or company credentials.

If the vishing attempt is successful, the criminal can use your information to access personal or company bank accounts or other valuable assets.

How Does Vishing Happen?

Successful vishing attackers aren't your typical phone pranksters. Their calls are highly strategic. Here's how a vishing attack generally proceeds:

1.

Vishing criminals start by researching their victims. If all they have is your email address, they might send a phishing email to try and elicit your phone number.

2.

If you've already been tricked by a phishing email, you're likely to trust a follow-up phone call. A sophisticated scheme may combine phishing and vishing to set up that expectation. Cyber criminals use special software to fake their area code, tricking you into thinking they're local.

When that call comes in with a local area code, that's even more reason to believe it's legitimate.

3.

Now that the cyber criminal has you on the phone, their next move is to appeal to your human instincts. Depending on the vishing scheme, it could be trust, fear, greed, or your desire to help.

The bad actor may use all or one of these social engineering techniques to convince you that divulging sensitive information is the right thing to do. They may ask for bank account information, credit card details, and a mailing address.

They might even ask you to do the work yourself—transferring funds, emailing confidential work-related documents, or sharing details about your employer.

4.

The vishing crime does not stop there. Armed with this valuable information, the cyber criminal moves in to commit further crimes. They may drain your bank account or use your credit card details to make unauthorized purchases.

If they commit full-fledged identity theft, they might use your email credentials to gain your colleagues’ trust and convince them to share confidential business information.

Some vishing schemes take a more indirect approach. Instead of forcing the action on the first call, they leave you a number to call if you have questions or want to follow up. They might claim they're the person processing your taxes or that they have your medical exam results.

This tactic legitimizes the cyber criminal and gains your trust. If you do call back, you might be led to a voicemail asking to leave information or connected to someone who will continue the vishing scam.

7 Common Vishing Scams

Vishing often combines phone calls with other techniques. Here are 7 ways phone fraudsters gain access to valuable information.

1. Deepfakes

Advanced AI is helping vishing scammers succeed by impersonating people you know. All they need to create a believable voice clone is a short voice sample, usually publicly available on social media platforms.

After the criminal initiates the call, they use text-to-speech software to direct the voice to "speak" naturally. When you think the person calling is your colleague, manager, or company CEO, you are more likely to comply with the caller's request for sensitive information.

2. Robocalls

These vishing scams are rampant, using special software to call numbers and run pre-recorded messages. The automated message claims to be from an alleged authority—your bank, the government, the police.

The recording urges you to confirm your account details or secure your account by providing your name, credit card details, bank account information, and mailing address.

3. Tech Support Call

Callers claim they're from your company's IT department, your internet service provider, or other technical support services. They say your device or connection is not secure, and they need your password or remote access to fix the issue.

In large companies, you might not personally know who works in IT. You may feel compelled to comply, thinking your colleague is just doing their job.

4. Client Call

In these vishing scams, callers try to extort money using old invoices found through dumpster diving. During the call, they pretend they're the vendor and say the invoice remains unpaid. They adopt an urgent or angry tone to pressure you to act fast to send the money.

5. VoIP Vishing

Voice over Internet Protocol (VoIP) makes it easy for vishing scammers to avoid detection. VoIP calls are from virtual numbers that are hard to trace. The criminal can create fake numbers that appear to be from legitimate-sounding local offices or institutions to perpetrate the crime.

6. Caller ID Spoofing

Like VoIP vishing, cyber criminals trick you and your caller ID by listing themselves as "Unknown" or spoofing a legitimate organization's number and name, such as a government office, hospital, police, or utility company.

7. Dumpster Diving

Even in the digital age, offices still use paper, and vishing scammers know it. They can easily collect valid employee and business phone numbers by digging through dumpsters behind office buildings and parks. They'll often find supporting details to use in a targeted vishing attack.

Social engineering is critical to the success of these vishing techniques. Always be suspicious of callers who use urgent, forceful, or overly persuasive language.

Remember that tech support, banks, governments, and hospitals will never ask for your personal bank information or PIN.

4 Examples of Vishing

While vishing is common, expecting it to happen doesn't guarantee you'll recognize it. These four examples show how easy it is for cyber criminals to convince you to comply with their requests.

1. Government Representative

The caller pretends to be a government representative and says they must verify your personal identification details and account information. If you hesitate to provide the details, the caller may threaten to suspend your tax refund or social security payment.

2. Tech Support Fraud

The caller pretends to be tech support for companies you're probably familiar with, such as Microsoft, Amazon, or a local wireless or internet provider. They may say they've noticed unusual activity on your account and want to confirm they have the correct account details.

The cyber criminal might say you need to install a software update for security reasons and ask for your email address. When you get the email and install the software, as expected, it installs malware on your computer.

3. Bank Impersonation

Using a spoofed phone number and caller ID, the cyber criminal pretends to be a representative of your bank. They'll say there's been unusual activity on your account and ask you to confirm your bank account details and mailing address as proof of identification.

The criminal then uses this information to commit identity theft.

4. Telemarketing Attack

People love prizes, and vishing attacks sometimes exploit this fact. After a caller announces you've won something for free, they'll say they need your confidential information to process the win and guarantee you receive your prize without delay.

Cyber criminals are constantly changing their vishing tactics and customizing their messages to take advantage of recent news stories, well-known hacks, or something appealing and timely like Black Friday sales specials.

How to Recognize Vishing Attacks

Vishing awareness needs to be an essential part of your organization's security awareness training. Share these tips with your employees to help them detect vishing attacks:

1. If a caller from a trusted authority asks for account access or confidential information, it could be a vishing attack. Banks, hospitals, police, and government departments do not ask for sensitive data over the phone.

2. Poor audio quality, unusual background sounds, voice glitches, and pauses could indicate a vishing attack. If you know the caller, but their voice sounds robotic or unnatural, it could be a voice clone.

3. Pay attention to the language being used. Vishing attacks often make threats and use excessively persuasive language.

4. Sometimes, vishing scammers leave phone numbers for follow-up calls. Look it up. If the number doesn't match the organization's listed number, it could be a vishing attempt.

5. Be vigilant. Calls from unknown or unusual numbers may be vishing attempts. If you decide to answer, be on high alert.

6. Calls from technical support asking for remote access or requiring you to download software updates are often vishing attempts.

7. Raise your awareness on calls from colleagues, your boss, human resources, or partner companies. If you feel pressured to divulge information or act fast with money, this may be a vishing call.

9 Best Practices to Avoid Vishing Attacks

1. Don't provide or confirm your personal information, workplace, or home address over the phone.

2. Don't answer phone calls from unknown numbers. Let the call go to voicemail, and assess the legitimacy of the message before responding.

3. Listen carefully to the caller's voice to detect anomalies or odd background noise.

4. Pause before responding to requests—especially when requests are urgent. The caller might be exploiting your sense of responsibility to act fast.

5. Ask questions. If the caller demands information or offers a prize, say you need their name and company phone number to verify who they are. If they refuse to provide this information, hang up. If they provide it, ensure it's legitimate before you provide your information in return.

6. Register your phone number with the Do Not Call Registry. Legitimate companies usually honor this list, so receiving robocalls and telemarketing calls after the fact could indicate a vishing attack.

7. Implement an authentication process for work calls that involve sensitive information. If a caller impersonates a colleague but can't answer a security question, it could be a vishing attempt.

8. Don't respond to emails or social media messages that ask for your phone number. This tactic is often the first step in a targeted vishing attack. Instead, report these emails and messages to your IT team.

9. Explore and enable protection features on your phone that block or filter out spam calls.

Vishing, Smishing, and Phishing – Do You Know the Differences?

Vishing

Uses intimidating phone calls and voicemail messages to convince victims to provide personal information and steal from the victim.

Smishing

Uses text messages to steal information and commit further cyber crimes.

Phishing

Uses a range of attack methods, including emails, fake websites, and text messages, to steal from victims. Smishing and vishing are two types of phishing.