CSO Online
Aug 3, 2020
What is vishing? Understanding this high-tech phone scam
CSO Online | Aug 3, 2020
Vishing (short for voice phishing) is a form of attack that attempts to trick victims into giving up sensitive personal information over the phone. While that makes it sound like an old-fashioned scam, vishing attacks have high-tech elements.
Copyright © 2020 IDG Communications, Inc.
Similar
What is vishing? Understanding this high-tech phone scam
Vishing (short for voice phishing) is a form of attack that attempts to trick victims into giving up sensitive personal information over the phone.
While that makes it sound like an old-fashioned scam, vishing attacks have high-tech elements, like automated voice simulation, or the scammer may use personal information harvested from earlier cyberattacks to put victims at ease.
No matter what technology is used, the setup for the attack follows a familiar social engineering script:
An attacker creates a scenario to prey on human emotions, commonly greed or fear, and convinces the victim to disclose sensitive information, like credit card numbers or passwords. In that sense, vishing techniques mirror the phishing scams that have been around since the 1990s. But vishing calls exploit the fact that we're more likely to trust a human voice.
-----------------
Let's look at some statistics that shed light on the state of vishing and why it can be a lucrative business for attackers.
• Vishing attacks have been on the rise over the past few years. In 2018, scam calls represented nearly 30% of all incoming mobile calls.
• 75% of scam victims report that vishers already had some personal information about them, which they used to target them and get yet more information.
• Of people who report government imposter vishing scams to the FTC, only 6% had actually lost money — but those who did lost quite a bit, with the median loss being $960.
--------------
How vishing works
Almost all vishing attacks have a few things in common.
The phone calls are initially placed via voice over IP (VoIP) services, which makes it easier to automate some or all of the process and more difficult for victims or law enforcement to trace. And the attacker's goal is to profit from you in some way — either by harvesting bank account information or other personal details they can use to access your bank accounts, or by tricking you into paying them directly.
But within the universe of vishing scams, there are a wide range of techniques and strategies. They run the gamut from largely automated "shotgun" attacks targeting many potential victims in hopes of a few bites to laser-focused scams that take aim at specific high-value targets.
Perhaps the most widespread form of vishing begins with so-called "wardialing" — that is, hundreds or thousands of automated calls to hundreds or thousands of numbers. The potential victim (or their voicemail) will get a recording meant to scare or trick them into initiating a phone call themselves back to the scammers. Often the vishers will claim to be from the IRS or some other government agency, or from a bank or credit union.
-------------
How to prevent vishing
Hopefully the material we've covered so far will help spot a scam, but here are three key points to keep in mind:
• Be suspicious of a call claiming to be from a government agency asking for money or information. Government agencies never call you out of the blue demanding — or offering — money. When in doubt, hang up, independently seek out the real number for the agency, and call them to find out if they're trying to reach you.
• Never pay for anything with a gift card or a wire transfer. That's a strong sign of a scam.
• Don't trust caller ID. It's very easy to fake.
Here's another good rule of thumb: one thing that every vishing scam has in common is an attempt to create a false sense of urgency, making you think you're in trouble or about to miss an opportunity and need to act right now. It never hurts to take a moment to pause, write down information about the caller without offering any of your own, and then call back after doing research.
Vishing (short for voice phishing) is a form of attack that attempts to trick victims into giving up sensitive personal information over the phone.
While that makes it sound like an old-fashioned scam, vishing attacks have high-tech elements, like automated voice simulation, or the scammer may use personal information harvested from earlier cyberattacks to put victims at ease.
No matter what technology is used, the setup for the attack follows a familiar social engineering script:
An attacker creates a scenario to prey on human emotions, commonly greed or fear, and convinces the victim to disclose sensitive information, like credit card numbers or passwords. In that sense, vishing techniques mirror the phishing scams that have been around since the 1990s. But vishing calls exploit the fact that we're more likely to trust a human voice.
-----------------
Let's look at some statistics that shed light on the state of vishing and why it can be a lucrative business for attackers.
• Vishing attacks have been on the rise over the past few years. In 2018, scam calls represented nearly 30% of all incoming mobile calls.
• 75% of scam victims report that vishers already had some personal information about them, which they used to target them and get yet more information.
• Of people who report government imposter vishing scams to the FTC, only 6% had actually lost money — but those who did lost quite a bit, with the median loss being $960.
--------------
How vishing works
Almost all vishing attacks have a few things in common.
The phone calls are initially placed via voice over IP (VoIP) services, which makes it easier to automate some or all of the process and more difficult for victims or law enforcement to trace. And the attacker's goal is to profit from you in some way — either by harvesting bank account information or other personal details they can use to access your bank accounts, or by tricking you into paying them directly.
But within the universe of vishing scams, there are a wide range of techniques and strategies. They run the gamut from largely automated "shotgun" attacks targeting many potential victims in hopes of a few bites to laser-focused scams that take aim at specific high-value targets.
Perhaps the most widespread form of vishing begins with so-called "wardialing" — that is, hundreds or thousands of automated calls to hundreds or thousands of numbers. The potential victim (or their voicemail) will get a recording meant to scare or trick them into initiating a phone call themselves back to the scammers. Often the vishers will claim to be from the IRS or some other government agency, or from a bank or credit union.
-------------
How to prevent vishing
Hopefully the material we've covered so far will help spot a scam, but here are three key points to keep in mind:
• Be suspicious of a call claiming to be from a government agency asking for money or information. Government agencies never call you out of the blue demanding — or offering — money. When in doubt, hang up, independently seek out the real number for the agency, and call them to find out if they're trying to reach you.
• Never pay for anything with a gift card or a wire transfer. That's a strong sign of a scam.
• Don't trust caller ID. It's very easy to fake.
Here's another good rule of thumb: one thing that every vishing scam has in common is an attempt to create a false sense of urgency, making you think you're in trouble or about to miss an opportunity and need to act right now. It never hurts to take a moment to pause, write down information about the caller without offering any of your own, and then call back after doing research.
Popular
Featured videos from IDG.tv