Vishing

What is the definition of vishing?

Vishing, short for voice phishing, refers to fraudulent phone calls or voice messages designed to trick victims into providing sensitive information, like login credentials, credit card numbers, or bank details. These details can then be exploited for criminal activities such as fraud, identity theft, or financial theft. Phishing attacks are common and costly: In 2022, phishing was the second most-common cause of data breaches, costing organisations an average of US$4.91 million in breach expenses.

In vishing scams, attackers pretend to be from reputable organisations (such as the victim's bank, the IRS, or a package delivery service) and make unexpected phone calls. They might use toll-free numbers or use voice over internet protocol (VoIP) technology to appear as trusted organisations.

However, these attacks aren't limited to phone calls. Many vishing attacks start with a phishing email, urging the recipient to dial a number. Once in a call, scammers use social engineering tactics to convince the target to share their personal details.

Often, vishing scams target the elderly, new employees, and employees who regularly receive external calls as part of their job. Defending against vishing attacks requires vigilance, informed precautionary measures, and robust email security solutions. This page explores the preventative techniques and tools that can safeguard your sensitive information against vishing attacks.

What is the purpose of vishing?

The main purpose of vishing is to illegally acquire private, sensitive information from individuals or businesses. The types of valuable information scammers want can include:

• Confidential details such as bank account and credit card numbers
• Personal data like Social Security or identification numbers
• Security credentials, passwords, or PINs

Why do people engage in vishing?

Attackers opt for voice communication due to two unique advantages in manipulating victims: urgency and trust. Voice calls allow scammers to catch individuals off guard, leading them to make impulsive decisions. Through voice calls, scammers can also establish a personal connection to the target, dynamically respond to the victim's behavior, and exploit emotional cues, something not easily achievable through standard phishing emails.

Vishing is increasingly attractive to scammers as advancing technologies make deception easier and more effective. Free or inexpensive tools like VoIP and caller ID spoofing impersonate trusted numbers and obscure attackers' identity and origins. Scammers are also beginning to use sophisticated software to clone an individual's voice, making fraudulent communications even more convincing. As deepfake technology becomes more accessible, the distinction between real and synthetic voices is blurring, significantly increasing the danger of vishing attacks.

What's the difference between vishing, phishing, and smishing?

Vishing, phishing, and smishing employ different types of communication, but their objectives are the same: taking control of accounts, committing fraud, or stealing funds from unsuspecting individuals or businesses.

Here is the difference between these three phishing methods:

• Vishing: Phone call scams that pressure victims to share sensitive information verbally
• Phishing: Email scams that lure victims into clicking links leading to deceptive websites or malware downloads
• Smishing: Text message scams that also prompt victims to click malicious links or visit fake websites

How do vishing emails avoid detection?

Not all vishing attacks start with a phone call. Many attackers start their scam with a well-crafted email, posing as an authoritative or trusted entity. They persuade the recipient to follow up to their demands through a phone call. When a vishing attack begins with a phishing email, how does it get through email security filters? There are three possible reasons for this:

• No links in email: Security systems easily flag emails with malicious links. However, a vishing email typically prompts the recipient to make a phone call, avoiding the need for links that standard security tools can identify. The content emphasises initiating a call, sidelining traditional clickable links or buttons that are standard in phishing attempts.
• Email from a so-called authentic sender: Impersonated email accounts can pass authentication screenings such as Domain Based Message Authentication Reporting (DMARC), Sender Policy Framework (SPF), or DomainKeys Identified Mail (DKIM), if sent from a personal email address, such as a Gmail account.
• Ineffective email security tools: If an email successfully passes the first two filters, it may be categorised as low risk by basic email security systems and delivered to recipients' inboxes. This common problem can be mitigated with sophisticated email security software designed to detect and remediate phishing attempts, business email compromise, and ransomware.

Phone numbers, unlike URLs, aren't routinely tracked and shared as indicators of compromise (IOC) in the cybersecurity community. This lack of structure around phone numbers increases the likelihood of vishing campaigns evading conventional email security checks.

Vishing examples

Advances in technology have evolved common vishing scams into incredibly convincing attacks. Capitalising on human trust and urgency, these scams mimic real businesses and scenarios, resulting in serious consequences for organisations.

Here are a few examples of common vishing attacks:

ATO tax scam

IRS vishing scams often feature a prerecorded voice message alerting you to a problem with your tax return, urging you to contact the IRS directly through a provided number. These messages are usually spoken in a threatening tone, warning that failure to respond could lead to a warrant for your arrest.

Impersonating the IRS is a common tactic among cybercriminals, both in email and voice scams. The IRS's name creates immediate trust and a sense of panic, compelling victims to act swiftly without questioning the legitimacy of the request.

Tech-support attacks

In tech-support vishing scams, fraudsters act as representatives from tech companies like Apple, Microsoft, and Google, alerting you to suspicious activity on your online account. They often request your email to send vital software updates, which turn out to be malware-infected downloads.

Tech-support scams exploit the victim's potential lack of technical knowledge. These scammers employ scare tactics, suggesting severe security threats or technical problems to instill fear and a sense of urgency. They might offer immediate solutions that grant them remote access to the victim's computer. If granted access, attackers can steal personal or corporate data, install malicious software, or cause systemwide damage.

Bank-impersonation scams

Bank-impersonation scams involve scammers impersonating credit card companies, banks, and other financial institutions to gain unauthorised access to your accounts. Claiming there is unusual or suspicious activity, they ask you to verify your account details and login credentials under the guise of resolving the issue.

If you call your financial institution directly, you may be asked to verify your identity with confidential information. However, legitimate financial institutions will never call you to ask for your passwords or security codes.

Department of Social Services or Australia Taxation Office (ATO)

Older adults are often targets for cybercriminals as they may be less familiar with modern phishing scam tactics. In these scams, criminals pose as Social Security or Medicare officials to extract sensitive account details, allegedly to issue a new Social Security number or discuss benefits. The older adult demographic tends to favor phone communication over email or text messages, exposing themselves more to vishing schemes than to phishing or smishing attacks.

Inform friends or family members whom you think are susceptible to these types of scams that the IRS, Social Security Administration, or Medicare will never call them demanding personal information or issuing threats. Legitimate federal agencies do not contact citizens by phone, email, text, or social media to request personal or financial information.

Delivery scams

The prevalence of online shopping has made it challenging for many individuals and businesses to keep track of their purchases, and cybercriminals are capitalising on this oversight. Scammers, masquerading as Amazon or UPS representatives, notify customers about alleged shipping issues and provide a contact number for queries about these fictitious orders.

When unsuspecting customers dial in, they are greeted by scammers posing as customer service, ready to pry personal details from the callers. As events like Amazon Prime Day surge in popularity and online shopping becomes even more routine, consumers need to be aware of these delivery scams.

Loan and investment scams

Extreme caution is crucial when approached with any investment opportunity offering high returns with little risk, or loans that claim to pay off debt unusually quickly. If the offer sounds too good to be true, it usually is.

Here are some essential tips to protect yourself from these loan and investment scams:

• Ask about risks and associated costs
• Resist high-pressure pitches or aggressive sales tactics
• Insist on receiving specifics in writing and follow up with your own research
• Don't commit solely because of the caller's title or trustworthiness
• Verify the registration of the investment and the promoter
• Dismiss any claims of completely risk-free investments or guaranteed returns; these are red flags, as genuine investments always carry some level of risk

Voice-cloning vishing scams

Voice-cloning technology uses artificial intelligence to craft alarmingly realistic fake audio or video clips. Cybercriminals are now using these AI tools to fabricate voice recordings that mimic those of a target's family member or trusted figure. For instance, a CEO's voice can be replicated to request a significant financial transfer. A lower-ranking employee might believe the call is genuine due to the accurate voice imitation and comply due to a sense of urgency and respect for the authoritative request.

As voice-cloning tools become more sophisticated and available, the risk of such scams grows, underscoring the need for strong security protocols and heightened vigilance—even when the caller sounds familiar.

What are the signs of vishing?

Recognising the signs of a vishing attempt can be the key to safeguarding your identity and finances. Here are tips on how to spot a vishing scam:

• Spoofed phone numbers: Vishing scammers often use spoofed phone numbers that appear to be from trusted businesses or institutions, subtly different from the real ones. For instance, scammers might use numbers that closely resemble those of a legitimate bank, relying on the likelihood that recipients may not notice the minor difference. Always be cautious, even when the caller ID shows a local number or company name you recognise.
• Aggressive call tactics: Vishing and phishing tactics typically incite urgency or fear. You might hear phrases like urgent account problem, suspicious activity detected, or final warning to prompt hasty reactions. Be wary of any call that requires you to act quickly, especially if it involves personal data or money. They might also fake familiarity, hinting at prior conversation, relationship, or corporate hierarchy. These methods build what feels like rapport, but gradually, they guide victims towards compromising actions.
• Unexpected sensitive data requests: The goal of a vishing attack is to steal your sensitive information, such as passwords, PINs, verification codes, or financial information. Legitimate institutions will never request such details through unsolicited calls.
• Using publicly available information: Scammers might present what seems like personal knowledge about you, harvested from online sources or social media, to make the call seem legitimate. However, knowing your address, recent transactions, or family details does not confirm the caller's authenticity. 
• Verify independently: If a call seems suspicious even when it sounds genuine, don't act immediately. Instead of following the caller's instructions, hang up and call the institution or person directly using a verified number from their official website or your contacts. Always avoid using numbers provided during the suspicious call.

What should you do if you've experienced a vishing attack?

If you've fallen victim to a vishing attack, taking immediate steps can help mitigate potential harm and prevent further exploitation of your information. Here is what you can do:

• Alert your financial institutions of the fraudulent activity, and request to freeze or monitor your accounts for unusual activities.
• Change all compromised passwords, PINs, and security credentials on your accounts, using unique, strong passwords for each.
• Notify the relevant company or institution that the scammer claimed to represent, as they may provide additional assistance and take steps to warn others.
• File a complaint with the Federal Trade Commission (FTC) or the FBI's Internet Crime Complaint Center (IC3) to contribute to their efforts in combating these types of scams.
• If you're an employee who disclosed sensitive corporate information, immediately inform your company's IT department or cybersecurity team to initiate damage control protocols.

Vishing and other cybercrimes will continue to exploit the public for as long as scammers can successfully deceive individuals. However, taking the time to identify and counter vishing attempts can help diminish their effectiveness. Keep reading to learn how you can prevent vishing attacks.

How can you prevent vishing and phone scams?

To mitigate vishing attacks and reduce their potential impact on your organisation, consider these best practices:

Protect your accounts with multi-factor authentication (MFA)

MFA is a security tool that protects applications by requiring two or more verification factors to access an account, rather than just a single password. Even if a cybercriminal steals a password in a vishing scam, MFA makes it significantly harder for them to bypass the additional authentication barriers.

Bolster your email security with threat defense

Vishing attackers often use email to initiate their schemes. To defend against vishing, phishing, and business email compromise (BEC) attempts, it is crucial to evolve your email security beyond native security filters.

A comprehensive email threat defense solution can significantly lower the risk of vishing scams infiltrating your organisation. Consider a solution like Cisco Secure Email Threat Defense that can identify and swiftly remediate phishing attempts before they can cause potentially catastrophic consequences for your organisation.

Register with a Do Not Call list

Reduce your risk of vishing attacks by registering with a national Do Not Call list. These lists, often maintained by governmental agencies, can significantly reduce the number of unsolicited calls you receive from legitimate companies. While it won't stop scammers, it can make spotting suspicious calls easier.

Avoid answering unsolicited calls

Train employees in the following best practices when handling phone calls:

• Avoid answering calls from unrecognised numbers. If you are uncertain if the caller is legitimate, let the call go to voicemail, then listen to the message. Be mindful that Caller IDs and phone numbers can be manipulated.
• The moment you feel suspicious of a caller you're speaking to, hang up and block the number. Criminals can use AI to replicate a person's speech from as little as a 3-second clip to later impersonate you for fraudulent activities.
• Refrain from redialing a missed call, especially from an unfamiliar number. Instead, seek out the official phone numbers from trustworthy sources such as official websites, credit cards, or documented account statements.
• Do not respond to voice prompts from an unsolicited call that ask you to press buttons or respond to yes or no questions. Scammers use these tricks to confirm they've reached a real and compliant person, which can lead to more vishing calls.

Be alert to vishing social engineering tactics

Train employees to be vigilant of these social engineering strategies that may indicate a vishing attempt:

• Threats of immediate account closure, legal action, or arrest if you don't comply quickly
• Promises of large rewards, cash prizes, or exclusive deals requiring instant decision-making
• Callers who feign kindness or claim to have a personal connection, seeking to lower your defenses
• Insistence on secrecy discouraging you from consulting with others or verifying their legitimacy

If a caller employs these tactics, politely but firmly end the call. Remember, legitimate companies and authorities do not conduct business this way.

Review the following elements carefully if you received a potential vishing email or text message:

• The name, email, and phone number of the sender or caller
• The style and urgency of the language used
• Any inconsistencies or errors in the content provided
• The nature of the call-to-action request, especially those demanding immediate action

Never share sensitive data over the phone

Always exercise caution when a caller requests personal or corporate details such as account numbers, PINs, passwords, or any other confidential data. If you feel uneasy or sense something amiss, trust your instincts; terminate the call, and consult directly with the institution in question through verified communication channels.

Ask for proof of identity

Always prioritise data security by requesting the caller to validate their identity. Legitimate representatives from reputable organisations will willingly provide details about their position, purpose of the call, and the institution they represent. For added assurance, note down their name and then reconnect using a phone number sourced directly from the organisation's official website or your own records, bypassing any number they might suggest. This step is vital to ensuring you're interacting with a legitimate representative and not falling prey to vishing schemes.

Train employees in phishing prevention tactics

Allocating time and resources to regularly educate your employees on current vishing defense strategies is crucial. These training programs should educate on the latest trends in cyberthreats, defensive strategies, and how to respond effectively if targeted, ensuring that your team is an active defender of your organisation's sensitive data and finances.