We have all heard of "phishing", the well-known e-mail scam in which the scammer is presented as a reliable source to deceive recipients into revealing sensitive information or downloading malware.
Vishing is a similar "voice fishing" scam. It is a trick with many variations that can fool individuals and large organizations - with potentially catastrophic consequences.
It may seem unlikely that you would fall victim to such a scam, but by 2020, phishing, smishing, pharming and vishing cost more than $ 241.000 million to more than 54 victims. And these are the only cases reported to the FBI, as many cases of fraud are not reported to the authorities.
According to the international cybersecurity company ESET we can take measures not to fall victim to voice fishing.
But first let's look at how these scams work, how they affect businesses and individuals, and then how we can protect ourselves from them.
1. The problem with μηχαν social engineering
"Voice fishing" works well for both consumers and businesses for a very simple reason: human nature.
Scammers use social engineering to manipulate their victims. Scammers are portrayed as a person you trust - such as your bank, the technology company you work with, a government agency, a technical support worker - and give you the impression that this is an urgent or worrying event. This sense of urgency or fear that they create outweighs any physical attention or suspicion that the victim may have.
These techniques are used in phishing emails and fake text messages (known as smishing from SMS Phishing). But they may be more effective when used "live" over the phone. Vishers - fraudsters who use voice fishing techniques - have many additional tools and tactics to make their scams more successful, such as:
- Caller ID counterfeiting tools, which can be used to hide the real location of the scammer and even change phone numbers to make it appear that the call is coming from a trusted organization. Last year, for example, Ritz London hotel guests' personal information was stolen during a luxury hotel breach. The scammers used the data to carry out social engineering attacks against the victims, falsifying the official hotel number in the process.
Scams using a combination of different tactics that may start with a fake SMS (smishing), a phishing email or a voicemail and encourage the user to dial a number. If the victim calls he will speak directly to a scammer.
Scammers can investigate and find a wealth of information about its victims on social media and open sources. Scammers can use this information to target specific individuals (say, employees of companies with access to privileged accounts) and to make communication more legitimate - that is, the scammer may disclose certain personal information to the victim so that he or she can to extract more information.
2. The impact of vishing in the workplace
In the corporate environment, Vishing may be used to steal credentials. The FBI has repeatedly warned of such attacks. In August 2020, he described an advanced operation in which cybercriminals studied their targets in detail and then called them on the phone pretending to be calling from the IT department. Victims were encouraged to fill in their login details on a phishing website designed to look like the login page to the company's VPN. These credentials were then used to access the company's databases to steal customers' personal information.
Such attacks are more common in part because of the massive shift to remote work during the pandemic, the FBI has warned. In fact, the FBI was forced to issue another warning in January 2021 about an operation in which similar techniques were used to give cybercriminals access to the corporate network.
A well-known attack on Twitter, in which employees were deceived by vishers to reveal their logins, shows that even technology companies can fall victim to an attack. In this case, the access was used to breach accounts of famous Twitter users to distribute a cryptocurrency fraud.
3. How can voice fishing target your family?
Unfortunately, fraudsters use vishing to attack consumers. In these attacks, the ultimate goal is to make money from you: either by stealing direct bank accounts or card details, or by tricking you into giving out personal information and credentials that they can use to access these accounts.
Here are some common scams:
◦ Scams with technical support
In technical support fraud, victims are often approached by someone pretending to be calling from a telecommunications provider or a known software or hardware vendor. Scammers will claim to have found a problem on your computer and then ask for a fee (and your card details) to fix it. Sometimes, the process involves downloading malware without the victim's knowledge.
. Sending messages to a large number of telephone numbers - Wardialing
This is the practice of sending automated voice messages to large numbers of victims, and usually tries to scare them into calling back - for example by claiming that victims have unpaid tax bills or other fines.
Another popular tactic is the phone call in which the scammer claims you have won a prize. The only problem is that a cash deposit is required before the victim can receive the prize.
◦ Phishing / smishing
As mentioned, scams can start with a fake email or fake SMS, encouraging the user to call a number. A popular scam is an email from Amazon claiming that something is wrong with a recent order. By calling the number, the victim will eventually connect with the scammer.
4. How to prevent vocal fishing
As these types of scams become more sophisticated, there is a lot you can do to mitigate the risk. According to ESET these are some key steps:
- Remove your phone number from the phonebook so that the number is not available to the public.
- Do not fill in your phone number on online forms (ie when shopping online).
- Be wary of receiving requests for information about your bank, personal or other sensitive information over the phone.
- Be cautious - do not engage in discussions with someone calling you, especially if that person asks you to confirm sensitive information.
- Never call back a number that was notified to you via voicemail. Always contact the organization that your interlocutor is supposed to represent first.
- Use Multi-Factor Authentication (MFA) on all online accounts.
- Make sure email / Internet security software is up to date and includes anti-phishing features.