What is vishing?

What do scammers get from vishing

Cyber criminals and scammers may use their own voice or voice activated software and recordings to impersonate a trusted person, with the intent to gain access to personal data. For example, banks are often warning customers never to release their personal banking information over the phone, especially with an inbound call, without taking proper steps to verify it’s actually them.

The Vishing Process

Vishing is a type of social engineering focused on gaining a victims trust so they will divulge sensitive information. It may even result in the victim taking an action, such as sending funds on behalf of themselves or their company.

Victim research & contact

In the age of AI, ChatGPT and applications such as WormGPT, it’s becoming increasingly easy for cyber criminals to research and get access to a person’s contact information. Some scammers are even selling personal details on the dark web, making it easier than ever to find victims worth targeting. All this to say, scammers will do their research and then they will make contact – in the case of vishing, this contact will be made over the phone.

A combination approach

In more sophisticated attempts, scammers may couple their vishing attempts with other phishing tactics, such as a well-written phishing email before or after they make phone contact. In some instances, scammers may send an email on behalf of a trusted brand (ie. the bank or a company you may have a subscription with), notifying you of an issue with your account and asking you to contact them over the phone. Phone numbers may even be localised by area code, or they will be disguised under a 1-800 number, making it harder to decipher where the end person is located.

Appealing to your situation

Once the scammers have accessed your personal information and had a moment to do a bit of research, they will tailor their vishing scheme to your unique situation or lifestyle. This can include, as mentioned above, impersonating your bank of choice, or in other more extreme situations, they may attempt to pressure victims by instilling a sense of urgency and fear, encouraging people to divulge personal information or transfer money immediately. In the age of deepfakes, vishing has escalated to a whole new level making it even harder to trust who is on the other side of the phone. Just this year, headlines broke telling people to ‘beware of virtual kidnapping ransom calls.‘

The most popular vishing scams to know and avoid

Cyber training experts warn of 7 common vishing scams today:

1. Deepfakes: a type of synthetic media, usually a video or image that convincingly depicts someone doing something they did not do. These artificial videos and images are usually created through generative artificial intelligence (AI).
2. Robocalls: a pre-recorded auto-message impersonating a government agency, bank, embassy or other entity prompting the person on the other end to take an action.
3. Tech Support Call: scammers will impersonate well-known tech organisations such as Microsoft, Apple or Google, giving falsified information about a persons device(s) trying to encourage them to divulge passwords, install malware or handover remote access.
4. Client Call: fraudsters will impersonate another company or vendor, mentioning they have an unpaid invoice that is past due and they are seeking payment. This is a common scam towards accounts payable teams, often coupled with a phishing scam with a falsified invoice attached. In sophisticated attempts, this type of scammer will embody an actual vendor’s invoice with matching amounts, only having subtly changed the account number so trick people into transferring the sum of money to the wrong account.
5. VoIP Vishing: Short for Voice Over Internet Protocal Vishing is when potential perpetrators use software to localise their incoming call numbers, to make their impersonation attempts seem even more legitimate.
6. Caller ID Spoofing: similar to VoIP, criminals trick a persons caller ID by listing themselves as a legitimate organization’s number and name, such as a government office, hospital, police, or utility company.
7. Dumpster Diving: less common in today’s digital world, but in this situation, scammers will actually find themselves lurking through an organisations trash hoping to gain access to useful information or employee details.

Spotting and avoiding vishing calls

It’s important to stay current with cyber crime news, as the space is evolving quicker than ever. Because tactics are becoming more refined and harder to detect, the first line of defence is awareness and training. This should be a priority for individuals, as well as corporations and businesses.

1. Question everything, especially the questions being posed: any time you receive a phone call where someone is asking you personal questions about your identity, banking, or anything else, make sure you stop and think before you divulge the information. Can you verify the number you’re being contacted on? Also seeking the opportunity to call them back can help. This way you can get the correct phone number for the company the caller is claiming to work for (ie. the bank), call them directly and confirm the inbound was legitimate.
2. Reverse number look-up: take a minute to google the phone number and see if it’s been flagged as a scam. It’s becoming increasingly popular for people to compare and search scam numbers to spread awareness and get answers.
3. Don’t download or install files: if someone calls you and mentions they are from your company support team or someone else, and their approach is for you to download something on your computer, do not do this. Make sure you do your due diligence and confirm this is a legitimate request before installing anything on your system. Not only can this put your personal files and data at risk, but you could become responsible for a corporate data breach.
4. Quality check: what’s the quality of the call like? Can you hear a lot of noise in the background? Does the caller sound unnatural? When you ask questions back, does it seem like a genuine human on the other end?
5. Seek advice: don’t feel guilty removing yourself from a potential vishing situation if you’re unclear. Take your time and trust your gut. If you’re feeling pressured to give personal information, allow yourself the opportunity to leave the call and follow-up once you’ve assessed the situation. Speaking with friends, family or your IT team at work can help put your mind at ease when it comes to potential scam situations.

Summary

• Vishing (voice phishing) is when a caller makes a fraudulent attempt over the phone asking victims to release sensitive and personal information.
• Vishing scammers will do their research, find our a persons contact information, and take a tailored approach to their attempts
• To avoid falling victim, be sure to question everything, be critical of call quality, take advantage of reverse number look up, and feel confident seeking advice from your personal and professional network before divulging any personal information.