What is Vishing? How to Recognize Voice Phishing Phone Calls
Nearly half of infosec professionals reported experiencing vishing or
smishing in 2018
Vishing. Phishing. Smishing. These terms sound like
something a child made up and then decided to make the other two rhyme. But as
you likely already know (or will soon discover), vishing, phishing, and
smishing are very real and very dangerous threats to businesses and individuals
alike.
When we talk about phishing, for
example, many people think of the word in terms of scams that cybercriminals
use to obtain sensitive information via email. And they would be right — but that
definition only describes one part of a much bigger picture. That’s because phishing
isn’t limited to email alone. There’s also voice phishing, or what’s
referred to as “vishing.” There’s “smishing,” which uses SMS/text messages as
an attack vector (which we’ll discuss more in a future article). Other forms of
phishing include spear phishing, HTTPS phishing, CEO fraud/business email
compromise… the list goes on and on.
For this article, though, we’re just going to focus
solely on vishing. But what is vishing and what does it mean for you personally
and professionally? Let’s deep dive into the world of voice phishing. We’ll
talk about what it is and how it works, we’ll provide some examples of common
vishing attacks, and what you can do to protect yourself and your business.
Let’s hash it out.
Breaking Down Voice Phishing: What is Vishing?
Vishing, or voice phishing calls, are a form of scam that
aims to get prospective victims to share personal or financial information. Scam
calls have risen significantly over the past couple of years. In 2017,
scams represented only 3.7% of all incoming mobile calls. In 2018, that number
reached nearly 30%.
Research
from First Orion indicates that:
“…scammers are now using personal information to target consumers directly by impersonating legitimate companies to swindle money. In fact, 75% of victims report that scam callers had their personal information and used this to extract additional data, leading directly to a financial loss.”
Phone phishing refers to phone calls from people who are
pretending to be from the government, a reputable company or organization
(enterprise spoofing), or even a family member who needs help (relationship
fraud). To get victims to share personal and financial information, they use
social engineering tactics — psychological and social methods of manipulating
or tricking users — and the victims’ own emotions to get them to provide
information or to perform a specific action.
We could get into the explanation of how, at their core,
these attackers are using the innate fixed
action patterns and stimulus response we have as human beings against us,
but that would be going to a rabbit hole that would require a lot more
explanation.
So, here’s the simplest way to understand what voice
phishing is and how it works: A malicious actor aims to get you to comply with
what, under normal circumstances, would be considered unrealistic demands (providing
your personal or financial information). They do this by creating a situation
that creates an emotional response such as fear, urgency, curiosity, or even
excitement. The actor establishes themselves as an authority — either someone
who can help you fix the problem or can benefit you in some way. After all, a you’re
a lot more likely to share your personal information with someone when you
think that you’re about to lose a lot of money or have won a significant prize
such as the lottery.
While vishing often targets individuals, it isn’t a
consumer-only problem. Voice phishing also targets businesses as well to get
employees to provide account information. Here’s a reconstruction by Get Safe
Online of an actual vishing phone call to a small business in which a visher
attempts to gain access to the company’s confidential account information to
commit fraud:
The Nitty-Gritty: Who Does the Vishing and How Do They Do It?
Vishing can be performed in several ways. These calls can
have a real, live person on the other end of the phone line who is trying to
scam you, or they can be fully automated where you’re dealing with a robot
only. Some types of voice phishing calls are even a hybrid of the two — where
you’ll receive a call from an automated system that will then have a real
person step in to take over the call.
Thanks to a newer technology known as a deep
fake, there’s now a new and terrifying voice phishing scam that is on the
rise: artificial intelligence-based vishing. For a recent example of how this
technology can be used for vishing, look no further than an unidentified UK-based
energy firm that was recently scammed out of $243,000. A malicious actor
used voice generation software to impersonate the voice of a German executive
who works at the UK firm’s parent company (which is located in Germany) to get
the UK firm’s CEO to transfer the money to a Hungarian supplier with the
promise that the funds would be reimbursed immediately.
Most vishing calls are typically made using voice over internet
protocol (VoIP) technology in conjunction with caller ID “spoofing,” it makes
them virtually untraceable. Because of this, it’s even more challenging for law
enforcement to try to clamp down on these crimes and catch those who are
responsible for committing them.
Vishing by the Numbers
Research from the FBI Internet Crime Complaint Center’s
(IC3) 2018 Internet
Crime Report indicates that “phishing/vishing/smishing/pharming” accounted
for 26,379 victims and $48,241,748 in losses in 2018. Keeping in mind, however,
that these numbers only represent the victims who reported the crimes.
It doesn’t include others who may not have reported the crimes or are not yet
aware that they were scammed in the first place.
There’s no doubt that voice phishing is on the rise. ProofPoint’s
2019 State of the Phish report indicates that nearly half (49%) of surveyed
infosec professionals reported experiencing vishing and/or smishing in 2018.
Unfortunately, something else the report indicates is that the overwhelming
majority of the global audience is highly unaware of what vishing is. Only 18%
could accurately identify vishing — another 19% were incorrect in their
understanding of it, and a full 63% indicated that they had no clue as to what
vishing entails.
The last sentence is particularly troublesome considering
that phishing phone calls affect so many people each year. What makes things
worse is that these malicious actors and their tactics are becoming more and
more clever every year.
Breaking Down Voice Phishing: 4 Common Vishing Examples
There are many types of voice phishing that exist. Here,
we’ll break down four of the most common vishing scams:
1. Telemarketing Fraud
Telemarketing is something that every person who’s not
living under a rock is familiar with. This category encompasses many types of
phone spam calls, including the ones informing you that:
- your vehicle
warranty is about to expire; - they’ve been trying to reach you about an interest
rate reduction promotion for your credit card; - a charity needs your help and that you can make
a difference with even just a small donation; - you have an incredible business investment
opportunity; or even that - you’ve won an all-expenses
paid stay at one of Marriott’s resorts.
Yeah, you know, those calls.
These types of voice phishing scams are among the most
persuasive — and pervasive — types of fraud. They typically consist of
unsolicited phone calls that promise some type of “gimme” — something that the
victim is going to get or benefit from in some way. These scams most frequently
target
seniors and elderly individuals like Carolyn Turner, who lost $40,000 in a
telemarketing scheme (more about what happened to Carolyn in the video below):
According to the Federal Trade
Commission (FTC), the following are a few warning signs you should be aware
of that can help you spot telemarketing scams from a mile away:
- “You’ve
been specially selected (for this offer). - You’ll
get a free bonus if you buy our product. - You’ve
won one of five valuable prizes. - You’ve
won big money in a foreign lottery. - This
investment is low risk and provides a higher return than you can get
anywhere else. - You
have to make up your mind right away. - You
trust me, right? - You
don’t need to check our company with anyone. - We’ll
just put the shipping and handling charges on your credit card.”
If you receive any phone call from someone telling you
you’ve won something, that they have a deal for you, or any other line of cow
dung that leads to the inevitable question of them asking for your personal or
financial information, tell them where to stick it and hang up. When it comes
to protecting your personal information, remember this saying: When in doubt,
don’t give it out!
2. Government Impersonations
We’re from the government and we’re here to help — at
least, that’s what some vishers want you to believe.
Data from the FTC’s Consumer Sentinel Network indicates
that impersonating government employees may be the favorite ruse of voice
phishing scammers. The FTC reports
that “since 2014, the FTC has gotten nearly 1.3 million reports about
government imposters. That’s far more than any other type of fraud reported in
the same timeframe. This spring, monthly reports of government imposter scams
reached the highest levels we have on record.” In May 2019 alone, there was
about 46,600 government imposter scams reported to the Consumer Sentinel
Network.
These identity theft types of scams can come in the form
of someone pretending to be from:
- The Internal Revenue Service (IRS) — This
vishing scam involves a malicious
actor (often from a foreign country) pretending to work at the IRS. They’ll
tell you that you owe taxes and, if you don’t pay up immediately, that they’re
going to revoke your license, deport you, or throw you in jail. These scams
involve trying to get the victim to provide their personal information and/or
buy pre-paid gift cards. Rest assured that Uncle Sam doesn’t want your
supposedly delinquent taxes paid with Amazon gift cards. If you receive a phone
call with this type of demand, hang up immediately. If you’re still concerned,
call the IRS directly.
- Medicare — This type of scam often
involves someone calling and pretending
to work for Medicare. They say that you’re due to get a new Medicare card,
but in order for you to receive the new card, they would need to first confirm your
Medicare number (which is also your Social Security number). Obviously, this is
not how Medicare operates, but people still frequently fall for this scam. If
you provide your personal information, it can then be used to make bogus
medical claims in your name and then the criminal pockets the money. - The Social Security Administration — This
particular scam involves someone calling and pretending
to be from the Social Security Administration (SSA). They’ll feed you a
line about how the SSA someone doesn’t have all of your personal information,
and that they need you to confirm it for you to receive the benefits you’re
entitled to. They’ll often threaten that if you don’t provide the information,
then you won’t start to receive your Social Security benefits, or any benefits
you already receive will be terminated. Like with the other examples we just
mentioned, this isn’t how the SSA operates.
3. Tech Support Fraud
Another type of vishing scam involves people
pretending to work for a tech support company. The supposed “tech support
representatives” often will call and claim to be from a reputable and
well-known company — they may even claim to be from Microsoft or Adobe.
Frequently, this actor will inform their intended victim that there’s something
wrong with their computer and that they need to give them remote access to fix
it. This voice phishing tactic often involves pretending to run a diagnostic
test on your machine. Their ultimate goal is to get you, as the victim, to pay
for a tech support service that you don’t need to fix a problem that doesn’t
actually exist. Clever, eh?
But not all tech support fraud phishing phone calls
involve the criminal calling you. Sometimes, they will lure you into calling
them! The way they do this is by using pop-up messages on your computer screen.
These warnings, frequently designed to look like they come from your antivirus
software or operating system, inform you that threats have been detected on
your machine and direct you to call a specific phone number to speak with a
technician immediately.
Another computer-based variation of this vishing scam
involves the actor creating a website for a fraudulent tech support company and
getting the site to appear in search engine results for tech support. Or, they
may even run online ads that advertise their fake company’s phone number.
Either way, these scams, unfortunately, are highly
successful and can lead to millions in losses. As the FBI IC3 report
we mentioned earlier indicates: “In 2018, the IC3 received 14,408 complaints
related to tech support fraud from victims in 48 countries. The losses amounted
to nearly $39 million, which represents a 161% increase over losses from 2017.”
This brings us to the fourth and final type of voice
phishing scam that we’re going to cover in this article.
4. Bank or Financial Institution Impersonations
Financial vishing scams often involve an actor impersonating
your bank, credit card company, or another financial institution to get
information from you. They may call saying that there are fraudulent charges on
your account, or they may be calling you with a “special offer” — but you have
to act now or else you’ll miss out! Either way, as with the other forms of
vishing, their goal is to get you to share your personal, financial, or account
credential information over the phone.
I received such a call just a few weeks ago while at
work. I saw my cell phone light up with an incoming call. Since it was a number
I didn’t recognize, I figured it was a spam or voice phishing call and let it
go to voicemail. Within a minute, they called back a second time, then a third.
This caught my attention, so I answered it. (The last time a similar situation
happened, the missed calls were from my home security service provider and,
needless to say, I wished I hadn’t missed the call.)
The caller addressed me by my first name and introduced
herself, saying that she was from my bank and was calling about my debit card
ending with the last four digits ****. She informed me that there was
suspicious activity on my account and wanted to verify that the charges were,
in fact, mine. Doubtful, I pulled out my purse to look for my debit card (to
verify whether the numbers they listed would match my card). While I was doing
this, she continued on, saying that if the transactions turned out to be
fraudulent, they’d reverse the charges, close my card, and would send a new one
in the mail.
The caller then asked if I was traveling in California at
this time, to which I responded that I wasn’t. The woman then said that she
would need to verify some information before they could continue. But the whole
thing was starting to feel very suspicious, and I told her that I’d need to
hang up and call the bank directly myself. Of course, she said she understood
but disregarded my concern, urgently stating that time was of the essence and that
we needed to act quickly to verify the charges and get my account closed, if
necessary.
At this point, I’d pulled out my first debit card and
asked her to repeat the last four numbers on the card. She did, and it didn’t
match my card. I checked the numbers on my other debit card, and the situation
was the same — the numbers didn’t match.
Realizing her scam for what it was, I asked her what bank
she said she worked for. She said TD Bank. I told her nice try, but I knew what
she was up to and wasn’t going to share any account information with her. She
muttered something unintelligible and hung up.
To satisfy my curiosity, I decided to look up the phone
number she’d called from via Google. Lo and behold, she was spoofing the bank’s
real phone number to make her vishing call look legitimate.
Techniques Used in Effective Phishing Phone Calls
I’m not one to congratulate criminal elements, but I did
have to tip my hat to this visher. She sounded confident and was both well-spoken
and well-rehearsed in the delivery of her spiel. Her accent made her sound like
she was from the Midwest region of the U.S. Her voice conveyed a sense of
urgency while still sounding compassionate and understanding of the position I
was supposedly in as the victim of financial fraud.
All of these are effective traits for a phone phisher.
After all, their goal is to get me to trust them enough — or feel panicked
enough — to provide my personal information to fix the situation as quickly as
possible. Thankfully, I was able to recognize the threat for what it was and
didn’t fall victim to the scam. But it’s amazing (and scary) just how quickly
the whole situation occurred.
The situation I described above happened in less than a
minute. I write about cyber security for a living, and I know better than to
engage with scammers. But she caught me in a moment of unawareness while my
brain was focused on my work — and that’s what ever scammer hopes will happen.
They want to catch people like you and me off guard because we make more
susceptible targets.
Here are a few things that these malicious actors aim to
achieve when targeting you with phishing phone calls:
- Catching you by surprise with an unsolicited
call. - Causing you to react with an emotional response
(such as fear or panic) to a fake scenario. - Creating a sense of urgency so that the you
ignore the little red flags or warning sounds that are going off inside your
head. - Getting you to trust or feel like the actor has your
best intentions at heart. - Making you feel like you’re doing the right
thing or making a good decision by cooperating.
What You Can Do to Protect Yourself and Your Business from Voice Phishing
Scammers
So, when you’ve got vishers hounding you each day on your
cell phone or landline (yes, people still do have those), what can you do to
end their reign of terror? (Aside from smashing your phone against the wall.)
There are a few ways to fight back against voice phishing.
Data
from a Consumer Reports survey shows that 70% of 1,002 surveyed U.S. adults
said they no longer answer their phone for calls coming from numbers they don’t
know. Furthermore, 62% reported letting most calls go to voicemail, and 47%
registered their phone numbers with the National Do Not Call Registry.
But there are other things you and your business can do
as well to fight back against vishing:
- Don’t answer your phone when you receive phone
calls from unknown numbers. - Don’t respond to unsolicited sales, marketing,
or outreach messages. - Don’t call phone numbers that are provided in
online ads, pop-up windows, emails, etc. - Register with a paid robocall blocking service.
- Educate yourself, your loved ones, and your
employees about potential threats and scams. Teach them to hang up and call the
person, department, or company directly using official phone numbers (such as
from an official directory). - Inform your company’s IT department about any
potential scam calls or emails. - File an official complaint with the FTC and
local, state, or federal law enforcement agencies.
There’s one key thing you should always do whenever you
receive an unsolicited call (especially from your bank or financial institution
in particular): Hang up and call back using the phone number from an official website.
For banks and financial institutions, use the phone number listed on the back
of your debit or credit card. Don’t ever use the contact information
that’s provided to you in an email, a text message, or through an unsolicited
phone call.
*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Casey Crane. Read the original post at: https://www.thesslstore.com/blog/what-is-vishing-how-to-recognize-voice-phishing-phone-calls/