Vishing is a type of social engineering technique that leverages voice communication technology.
Published on Thursday 3rd of August 2023 02:55 PM
In a vishing attack, threat actors or “vishers” use fraudulent phone numbers, voice altering software, and other social engineering tactics to entice people to divulge personal and sensitive information over the phone. Advanced vishing attacks exploit Voice over Internet Protocol (VoIP) technology to create fake phone numbers and spoof the caller ID so that the call appears to be from legitimate companies or institutions. VoIP makes it easy for vishers to automate hundreds of scam calls over the internet and these numbers are hard to trace. Let's break down the process of how the attacks work:
1) Data Collection
Threat actors (a person or automated system) will use various techniques to collect phone numbers for broad, indiscriminate, attacks. They will also research and collect information for a targeted attack towards individuals and businesses. There are several ways they collect this information:
2) Voice Manipulation
Threat actors may employ machine learning (a subset of Artificial Intelligence) technology, to create a simulation of a person's voice. This technique, called voice cloning, is used to add realism to the attack by disguising the voice and impersonating someone the victim knows.
3) Fraudulent Calls
Threat actors can spoof/fake their caller ID and will call from as many numbers as possible to leave a prepared voicemail message to ask the victim to call. In more advanced attacks, threat actors may use voice synthesis software to hide their identity or control the cloned voice of a high value target during the call.
Examples of Vishing Scams
Threat actors will use this method to attempt to get the victim to give away banking and credit card information. They will then use the information to login to accounts to access funds, make unauthorized purchases or, in combination with other social engineering attacks, perform identity theft to take out loans
Attackers will attempt to pose as a civil servant, usually from departments dealing taxes and finance. They will use threatening language and scare tactics to get the victim to give up personal details or send money. An example of a scare tactic can be the threat of legal action for "unpaid" taxes. Attackers will also impersonate law enforcement to try and get the victim to give up personal details to use in identity fraud.
Attackers will pose as a high level executive (CEO, COO, CFO) and will try to convince victims to comply with requests. These requests are usually related to releasing funds, authorizing approvals for access to sensitive information, or even asking victims to buy gift cards for a co-workers birthday.
Threat actors will attempt to pose as a legitimate business to try and get you to purchase goods or services that are never provided. They will also claim that you won a prize and will ask for a "claim fee" or ask you to provide personal information to send you the "prize", but will instead use that information for fraud or to facilitate other attack types.
Technical Support Scams
Attackers will pose as a support representative from a well know company, claiming there are issues with your computer or devices. They will try to get the victim to release personal information to verify your identity. They will also often try to ask permission to remotely access your computer to troubleshoot or install software. While doing so they will use malicious software to have your system appear to be infected to get you to pay for support or even just install viruses and key-loggers to get information and credentials.
How to spot scams and protect yourself
What to do if you think you have been the victim of a vishing scam
Take the following actions if you have been a victim of a vishing scam.