Vishing is a particular form of phishing attacks. The letter ‘v’ indicates that this form of attack is done by using voice over the phone. Vishing scams victims into giving up their personal information. These attempts may also involve social engineering techniques such as pretexting and tricks like caller ID spoofing. Vishers typically use Voice over Internet Protocol (VoIP) technology, which allows you to make calls using your broadband Internet connection instead of a regular telephone line. This makes their efforts more efficient. So what you should know about vishing and vishing attacks?
How does vishing work?
All of vishing is done with the intent to lure away personal data from the intended target, mostly in order to benefit financially. Vishing works by contacting the victim over the phone and asking for confidential information, such as account numbers, passwords, PINs, and social security numbers.
Someone may pretend that the data they are requesting is needed to verify customer accounts or upgrade their security protection, etc. All of this is only a clever front of social engineering, trying to gain the trust of an unsuspecting victim.
These criminals can also use a sort of sales pitch about free gifts or low-interest rates to lure their victims into giving up personal information. Vishing is not a new form of scam whatsoever, but it has evolved into a much more dangerous threat nowadays. That’s mostly due to the fact that VoIP calling technology has been made compatible with robot callers. Such technological advancement made these operations work on a much larger scale and thus – much more profitable for those who devise such schemes.
Vishing can be very effective by targeting thousands at once because the connection is happening in real-time, whereas with traditional phishing and emails, the recipient has time to analyse and reply.
How to spot a vishing attack?
When someone calls you out of the blue and asks to hand over your data, Vishing should be the first thing that comes to mind. It might not be true 100% of the time, but being aware is key. The fact is that no reputable company should contact a customer over the phone to change or discuss their data right then and there. If anything, your manager or representative might call you to inform you that something is up and encourage you to change something ASAP at your own will, but will never ask for your IDs, bank account numbers, or passwords. If you get requests for any one of those – hang up and report the number to your carrier and the company that they were trying to impersonate.
Vishers typically try to prove that they’re genuine and authenticate their identity by mentioning specific details about you or your account. They might pretend they are calling from a financial institution, credit card company, tech support, etc.
Even if the caller ID matches with the company they say they are calling from, it may be spoofed. Vishers can use dedicated software to change the numbers that show up on your caller ID, so you ought to always be vigilant and check their entire number through a different channel before answering or handing out any personal information whatsoever. If in doubt, don’t even bother answering the phone.
Notable examples of vishing attacks
As you probably can guess, and as we’ve mentioned, this is one of the older tricks in the book. Only now, with robo-calls and much more sophisticated technology at their disposal, vishers are becoming more and more dangerous. Throughout history, there have been numerous worthwhile examples of vishing attacks.
IRS demands payments in iTunes gift cards
One that comes to mind is one that happened in 2015, across the United States. Vishers targeted nearly a million people all around the U.S. by impersonating IRS workers and requesting payments for taxes and due fines, related to tax mismanagement, and similar matters. All seems well until you get to know how payment was requested. With iTunes gift cards!
Thousands fell for the scam and transferred up to $500 worth of iTunes gift cards per request. However, sorry, but victims can only blame themselves for having seemingly no awareness of the situation. When IRS or tax officers call you to collect payment via iTunes gift cards, you should know something is wrong.
Mobile banking ID scams in Europe
Another scam that’s prevalent nowadays, and is carried out via smishing and vishing is focused on Europe. It’s simply called the Mobile Bank ID scam.
In Scandinavian and many other EU countries, you have separate ID apps that people use to log in to online banking and authenticate transactions. They’re integrated albeit entirely independent and separate from the banks (sort of 2FA).
In this scam, Swedish vishing hackers contacted bank customers, identified as bank representatives and introduced a worrying security problem with regards to their banking ID. They would be encouraged to follow a few simple steps to check whether the account has been compromised or not with the ID app. All the while, users would just allow access to their accounts, without even giving their password. Very clever social engineering, that seems harmless to the user. Once logged in to the accounts, vishers would clean them out, and since particular wire transfers are very hard to track and to cancel, the money would just be stolen.
Since then, banking ID apps have been upgraded to help prevent this form of fraud via vishing, but it’s still quite prevalent via smishing.
Million-dollar scam around Christmas
Back in 2010, a con-artist contacted one of the largest Northern Europe’s banks and impersonated to be a representative of a large corporate client. Over a few weeks he frequently called the offices, gaining the trust of bank’s employees, but particularly – one person from the business services department.
Right before Christmas the visher called and requested an unusual and immediate transfer of $7.5 million to foreign, dedicated accounts. Bank employees who have already familiarised themselves personally with the caller, granted the request without too much further verification. Since it happened right before Christmas, the client only noticed missing funds after the Holidays, when it was long gone.
As you can see, Vishing falls under what is by far the largest category of internet and cyber crime, accounting for close to 35% of total financial damages annually. It’s worth knowing about to help spot and prevent it in the future.
Are vishing attacks more dangerous than smishing or email phishing?
To be frank, there is no damage limit in case of vishing attacks. Even though some preventative measures exist and more people are getting aware of how this works, criminals are also not standing still and finding ways to innovate, progress and exploit new technology for their benefit.
But is vishing something that you should worry about much? Or maybe it’s the other versions of such scams that occur via SMS messages – Smishing and email phishing that you should worry about?
In all senses, vishing is a more sophisticated version of email phishing and smishing. What’s the difference? Communication in real-time and hearing someone else’s voice offers much more potential for quick gains of confidence.
Answer this – When do you believe people are most likely to buy things, when they get a cold email, an SMS out of the blue or when they’re called personally? Yes, there’s something about voice communication that makes people trust each other and the information that’s being shared, more.
It’s easy to fake an email, it’s easy to write something that isn’t true. But there’s something about people that makes the victim believe that the person on the other end of the phone is indeed what he says he is. What’s more, anti-vishing protection is much less advanced than against email phishing and smishing.
If you wanted to know more about vishing, then hopefully this article gave you the knowledge that you need. Even though you can use protective software, there’s no replacement for actually increasing your own awareness and trying to spot vishing attacks before and when they happen. What is most important – don’t let your guard down. No matter who calls or what security problems are mentioned, always be more suspicious of strange requests and don’t do anything you’re not comfortable with right away. Keep in mind, no one should ask for passwords, passcodes or bank account info over the phone. Take your time and contact a secondary source for verification.