Vishing is a form of phishing. The pronunciation and spelling are very similar, but what exactly is the difference? In this article, we will address that question and explain what vishing is. Finally, we will discuss a number of examples.
What is vishing?
Vishing, short for voice phishing, is a deceptive tactic employed by cybercriminals to manipulate individuals over the phone and trick them into divulging sensitive information or performing unauthorised actions. Unlike traditional phishing attacks conducted through email or text messages, vishing utilizes voice communication to exploit human vulnerabilities and gain the trust of unsuspecting victims.
The difference between phishing and vishing
While vishing shares similarities with phishing, there are distinct differences in the methods employed. Phishing typically relies on electronic communication, while vishing relies on voice conversations. Vishing attackers use social engineering techniques to create a sense of urgency, fear, or authority, manipulating victims into revealing confidential data or performing actions that compromise security.
Vishing thrives when criminals have some prior knowledge of a user’s interests. They use this knowledge to appear more trustworthy and abuse the victim’s trust.
According to the BBC, $16 billion worth of credit card fraud occurred worldwide in 2015, and vishing accounted for $1 billion.
Why do vishing attacks occur?
Vishers are motivated by various factors, including financial gain, identity theft, or access to valuable information. They employ a range of techniques to deceive their victims, such as spoofing caller IDs to appear as trusted organisations, impersonating authoritative figures or customer support agents, and employing persuasive narratives to manipulate emotions and extract sensitive details.
Examples of vishing
Financial Vishing
Vishing criminals may impersonate your bank, credit card provider, or other financial organisation to gain access to your financial accounts. In this case, the fraudster usually claims that the victim’s account has abnormal behavior or is fraudulent and requests validation of the victim’s bank details, account number, and/or postal address.
Technical support scams
The caller pretends to be a representative of a reputable company, such as Google or Apple. They regularly send a warning to the victim’s account, informing them of suspicious behaviour and asking for confirmation of their account details. They may also look for an email address to send the victim a software update with instructions to install it on their computer to protect against account hijacking. In reality, the software update contains malware to infect the victim’s PC.
Tax fraud
A recorded voicemail message warning the victim of a problem with his tax return is often used in this type of fishing attack. This is usually followed by a threat of arrest if you do not call back.
Vishing Techniques
Attackers employ several techniques to deceive and manipulate their targets over phone calls. Understanding these techniques is crucial for recognising and protecting oneself against such attacks. Common techniques employed are:
Caller ID Spoofing
Caller ID spoofing is a technique used by attackers to manipulate the displayed phone number on the recipient’s caller ID. By spoofing legitimate phone numbers or using familiar area codes, attackers can make their calls appear to originate from trusted sources such as banks, government agencies, or reputable organizations. This manipulation of caller ID helps vishers gain the trust of their victims and increases the likelihood of successful social engineering.
Impersonation of Trusted Entities
Attackers often impersonate well-known and trusted entities to establish credibility and deceive their targets. They may pose as bank representatives, government officials, tech support personnel, or customer service agents. By assuming these roles, vishers exploit the trust individuals have in these organisations or authorities.
Pretexting and Persuasive Narratives
Pretexting involves crafting a fictional scenario or narrative to manipulate the emotions and behavior of the target. Attackers skilfully create scenarios that trigger urgency, fear, or a need for immediate action.
How to prevent against vishing attacks
In practice, you cannot directly prevent vishing. If your data is exposed to hackers, for example, a criminal may call you at some point. However, awareness is the biggest step and the best defence against any form of cybercrime.
If you do not recognise a number or a situation that feels suspicious, be on your guard. Never give out data over the phone. If in doubt, always call the authority yourself or visit them at their postal address. Criminals can also spoof telephone numbers, which makes it seem as if your bank is actually calling you, while this is not the case.
For companies, we recommend cyber security awareness training for employees to increase awareness of cybercrime risks.
FAQ
If you receive a suspicious phone call, it is important to remain calm and cautious. Do not provide any personal or financial information during the call. Hang up and independently verify the caller’s identity by contacting the organisation they claim to represent using official contact information from their official website or other trusted sources.
Yes, organisations can be targeted by vishing attacks, especially if they hold valuable data or sensitive information. Attackers may target employees in key positions or use vishing as a part of a larger social engineering campaign.