Vishing is a type of phishing attack done through a phone call or voicemail and it’s becoming more popular everyday. Through a combination of emotional manipulation and scare tactics, malicious actors are able to trick people into giving up their private and important information. Annoying calls from robots are one thing, but it can be extremely difficult for a person to just hang up the phone when they hear a real human on the line, telling them that they’re in danger.

Along with social engineering, hackers spoof real phone numbers in an effort to lead the victim to believe the calls are legitimate. If you choose not to answer the phone, the attack will continue through voicemail. Sometimes these attacks even come in the form of text messages with malicious links to fake websites. 

Deep Fake Technology

vishing 1

Although a lot of vishing attacks are made by a real person, some are fully automated. The voice on the other side of the line sounds exactly like a human. Deep fake technology is artificial-intelligence based. In these cases of vishing, malicious actors use some form of voice generation software to impersonate a real voice. 

This form of phishing attempt can be targeting anything from your personal username and password to something like a banking account. Additionally they could be looking for the login credentials required to gain accounting information from an  organization

The most relevant real-world example occurred very recently in 2019. A deep fake convinced a UK-based energy firm’s CEO to transfer $243,000 to a Hungarian supplier within an hour of receiving the call. 

The CEO was under the impression that he was given these orders by the CEO of his parent company based in Germany and was told it was urgent. Additionally, the voice had a German accent making it all the more convincing. The funds were eventually moved to various other locations, including Mexico, and the culprits still haven’t been found.

Vishing Scams Can Vary

Bank Fraud

vishing 2

As previously mentioned one of the most popular forms of vishing, targets bank related information. In most cases the victim will receive a voicemail on their personal cell phone letting them know that their account has been compromised and must be reset. For the cybercriminal, a best-case scenario would mean that the message makes the recipient panic and forces them to dial the number back. 

This usually leads them to an automated recording asking them to verify some piece of sensitive information whether it’s a bank account or a social security number. Due to the fact that the caller believes they are resolving a security issue by providing this information, they don’t think twice before giving it away.

Fake Prizes and Contests

vishing 3

Another popular form involves a fake prize or offering. In this type of scheme the victim is typically left with a voicemail saying they are the lucky winner of something extravagant. In order to claim their prize they’re required to pay shipping and handling. 

Unfortunately, if the prize is lavish enough, this will push a victim to hand over their credit card details. If you didn’t enter any kind of contest, odds are you didn’t win anything and should approach the conversation skeptically.

Telemarketing Fraud

vishing 4

Telemarketing fraud can take a few forms. You may receive a call from a “credit card company” notifying you that they have an interest rate reduction promotion. These can also pop up as a request for charitable donations, unrealistic business investments, or a notification about your expiring car warranty. 

Vishers will continue to attack until they find the right victim. They use very specific language during these calls and voicemails as well. Ultimately, if the phone call results in a stranger asking you for personal private information, you should hang up immediately.

The Government

There are a few different kinds of vishing schemes that involve government impersonations. Many times, the impersonator will claim they are from the IRS and that you owe taxes. They will also threaten to arrest you or take away your license if you don’t pay up immediately. That kind of threat from an organization that actually exists is more than enough to get someone to give their money away.

If you’re actually concerned about the status of your taxes, contact the IRS directly. A government impersonator may also call insisting they’re from Medicare and that you’re overdue for a new card. They will then ask you to confirm your Medicare number which unfortunately is also your Social Security Number. Medicare actually doesn't do this, but some still fall victim to the scam.

Don’t be a Victim

Generally speaking, you should be suspicious of all unknown callers. Although many  cybercriminals target large organizations like financial institutions, they’re also after your personal information. The last thing you wasnt is a data breach

The safest practice is to let those numbers go to voicemail. Some vishing calls will even pop up as a legitimate business. 

If you do decide to answer the phone and the caller begins selling you something, ask as many questions as you can. 

In the meantime, search them online to see if they’re a real person calling from a legitimate organization. Social engineering preys on the trusting and sensitive nature of humans. It’s important to keep your cool and hang up before giving out any information.

If you’d like to learn more about this kind and other phishing scams, contact The TNS Group today for more information. 

Categories: Managed Service Provider, MSP Blogs