The Cyber Security Hub
Sign up now to access engaging, shareable cyber security awareness content that’s available in multiple formats.
For example, during tax season, criminals will leave messages pretending to be from the IRS. During the COVID-19 pandemic, cyber criminals called people promising vaccines and testing kits if they provided their bank account information and mailing address.
What is the primary purpose of vishing attacks?
Cyber criminals use vishing to steal valuable personal data. It could be personally identifying information, bank account numbers, login details, secret passwords, or company credentials.
If the vishing attempt is successful, the criminal can use your information to access personal or company bank accounts or other valuable assets.
How Does Vishing Happen?
Successful vishing attackers aren't your typical phone pranksters. Their calls are highly strategic. Here's how a vishing attack generally proceeds:
Vishing criminals start by researching their victims. If all they have is your email address, they might send a phishing email to try and elicit your phone number.
If you've already been tricked by a phishing email, you're likely to trust a follow-up phone call. A sophisticated scheme may combine phishing and vishing to set up that expectation. Cyber criminals use special software to fake their area code, tricking you into thinking they're local.
When that call comes in with a local area code, that's even more reason to believe it's legitimate.
Now that the cyber criminal has you on the phone, their next move is to appeal to your human instincts. Depending on the vishing scheme, it could be trust, fear, greed, or your desire to help.
The bad actor may use all or one of these social engineering techniques to convince you that divulging sensitive information is the right thing to do. They may ask for bank account information, credit card details, and a mailing address.
They might even ask you to do the work yourself—transferring funds, emailing confidential work-related documents, or sharing details about your employer.
The vishing crime does not stop there. Armed with this valuable information, the cyber criminal moves in to commit further crimes. They may drain your bank account or use your credit card details to make unauthorized purchases.
If they commit full-fledged identity theft, they might use your email credentials to gain your colleagues’ trust and convince them to share confidential business information.
Some vishing schemes take a more indirect approach. Instead of forcing the action on the first call, they leave you a number to call if you have questions or want to follow up. They might claim they're the person processing your taxes or that they have your medical exam results.
This tactic legitimizes the cyber criminal and gains your trust. If you do call back, you might be led to a voicemail asking to leave information or connected to someone who will continue the vishing scam.
Vishing often combines phone calls with other techniques. Here are 7 ways phone fraudsters gain access to valuable information.
Advanced AI is helping vishing scammers succeed by impersonating people you know. All they need to create a believable voice clone is a short voice sample, usually publicly available on social media platforms.
After the criminal initiates the call, they use text-to-speech software to direct the voice to "speak" naturally. When you think the person calling is your colleague, manager, or company CEO, you are more likely to comply with the caller's request for sensitive information.
These vishing scams are rampant, using special software to call numbers and run pre-recorded messages. The automated message claims to be from an alleged authority—your bank, the government, the police.
The recording urges you to confirm your account details or secure your account by providing your name, credit card details, bank account information, and mailing address.
3. Tech Support Call
Callers claim they're from your company's IT department, your internet service provider, or other technical support services. They say your device or connection is not secure, and they need your password or remote access to fix the issue.
In large companies, you might not personally know who works in IT. You may feel compelled to comply, thinking your colleague is just doing their job.
4. Client Call
In these vishing scams, callers try to extort money using old invoices found through dumpster diving. During the call, they pretend they're the vendor and say the invoice remains unpaid. They adopt an urgent or angry tone to pressure you to act fast to send the money.
5. VoIP Vishing
Voice over Internet Protocol (VoIP) makes it easy for vishing scammers to avoid detection. VoIP calls are from virtual numbers that are hard to trace. The criminal can create fake numbers that appear to be from legitimate-sounding local offices or institutions to perpetrate the crime.
6. Caller ID Spoofing
Like VoIP vishing, cyber criminals trick you and your caller ID by listing themselves as "Unknown" or spoofing a legitimate organization's number and name, such as a government office, hospital, police, or utility company.
7. Dumpster Diving
Even in the digital age, offices still use paper, and vishing scammers know it. They can easily collect valid employee and business phone numbers by digging through dumpsters behind office buildings and parks. They'll often find supporting details to use in a targeted vishing attack.
Social engineering is critical to the success of these vishing techniques. Always be suspicious of callers who use urgent, forceful, or overly persuasive language. Remember that tech support, banks, governments, and hospitals will never ask for your personal bank information or PIN.
4 Examples of Vishing
While vishing is common, expecting it to happen doesn't guarantee you'll recognize it. These four examples show how easy it is for cyber criminals to convince you to comply with their requests.
1. Government Representative
The caller pretends to be a government representative and says they must verify your personal identification details and account information. If you hesitate to provide the details, the caller may threaten to suspend your tax refund or social security payment.
2. Tech Support Fraud
The caller pretends to be tech support for companies you're probably familiar with, such as Microsoft, Amazon, or a local wireless or internet provider. They may say they've noticed unusual activity on your account and want to confirm they have the correct account details.
The cyber criminal might say you need to install a software update for security reasons and ask for your email address. When you get the email and install the software, as expected, it installs malware on your computer.
3. Bank Impersonation
Using a spoofed phone number and caller ID, the cyber criminal pretends to be a representative of your bank. They'll say there's been unusual activity on your account and ask you to confirm your bank account details and mailing address as proof of identification.
The criminal then uses this information to commit identity theft.
4. Telemarketing Attack
People love prizes, and vishing attacks sometimes exploit this fact. After a caller announces you've won something for free, they'll say they need your confidential information to process the win and guarantee you receive your prize without delay.
Cyber criminals are constantly changing their vishing tactics and customizing their messages to take advantage of recent news stories, well-known hacks, or something appealing and timely like Black Friday sales specials.
How to Recognize Vishing Attacks
Vishing awareness needs to be an essential part of your organization's security awareness training. Share these tips with your employees to help them detect vishing attacks:
1. If a caller from a trusted authority asks for account access or confidential information, it could be a vishing attack. Banks, hospitals, police, and government departments do not ask for sensitive data over the phone.
2. Poor audio quality, unusual background sounds, voice glitches, and pauses could indicate a vishing attack. If you know the caller, but their voice sounds robotic or unnatural, it could be a voice clone.
3. Pay attention to the language being used. Vishing attacks often make threats and use excessively persuasive language.
4. Sometimes, vishing scammers leave phone numbers for follow-up calls. Look it up. If the number doesn't match the organization's listed number, it could be a vishing attempt.
5. Be vigilant. Calls from unknown or unusual numbers may be vishing attempts. If you decide to answer, be on high alert.
6. Calls from technical support asking for remote access or requiring you to download software updates are often vishing attempts.
7. Raise your awareness on calls from colleagues, your boss, human resources, or partner companies. If you feel pressured to divulge information or act fast with money, this may be a vishing call.
Find Out How Your Click Rate Stacks Up!
Download a copy of the 2022 Gone Phishing Tournament Report to see how 1.2 million employees from 250 organizations fared last year at detecting fraudulent messaging attempts.
9 Best Practices to Avoid Vishing Attacks
1. Don't provide or confirm your personal information, workplace, or home address over the phone.
2. Don't answer phone calls from unknown numbers. Let the call go to voicemail, and assess the legitimacy of the message before responding.
3. Listen carefully to the caller's voice to detect anomalies or odd background noise.
4. Pause before responding to requests—especially when requests are urgent. The caller might be exploiting your sense of responsibility to act fast.
5. Ask questions. If the caller demands information or offers a prize, say you need their name and company phone number to verify who they are. If they refuse to provide this information, hang up. If they provide it, ensure it's legitimate before you provide your information in return.
6. Register your phone number with the Do Not Call Registry. Legitimate companies usually honor this list, so receiving robocalls and telemarketing calls after the fact could indicate a vishing attack.
7. Implement an authentication process for work calls that involve sensitive information. If a caller impersonates a colleague but can't answer a security question, it could be a vishing attempt.
8. Don't respond to emails or social media messages that ask for your phone number. This tactic is often the first step in a targeted vishing attack. Instead, report these emails and messages to your IT team.
9. Explore and enable protection features on your phone that block or filter out spam calls.
Uses intimidating phone calls and voicemail messages to convince victims to provide personal information and steal from the victim.
Uses text messages to steal information and commit further cyber crimes.
Uses a range of attack methods, including emails, fake websites, and text messages, to steal from victims. Smishing and vishing are two types of phishing.
To learn more about vishing and how you can keep your employees and organization cyber secure, take advantage of these free cyber security awareness resources:
Contact us at 1-866-889-5806 or at [email protected] to learn more about vishing.
Terranova Security is committed to delivering people-centric training that makes your organization cyber security aware.