Cyber Security

Phishing attacks continue to evolve, with variations throughout many media, from text messages to emails. One of the oldest ways is fishing or voice phishing.

Are you familiar with a scammer claiming to be from your bank, warning of suspicious activity on your account, and asking for your account number and PIN? This old type of scam is one example of vishing, and many people still fall victim to it.

Fear not—we’ll review the tactics behind vishing and arm you with practical tips to stay one step ahead of these scammers. Read on!

What is Vishing?

Short for “voice phishing,” vishing refers to fraudulent phone calls or voice messages that aim to trick victims into providing sensitive information.

Although old, the number of vishing attacks globally rose by 10% during Q2 2023, following a more substantial 40% increase in the preceding two quarters.

This attack often involves impersonating reputable organizations, such as banks or government agencies, to deceive recipients. 

As technology advances, vishing attacks are becoming more sophisticated, including deepfake voices.

What is the Purpose of Vishing?

The goal of this attack is to manipulate social norms and emotions, convincing victims to share personal information over the phone.

Commonly targeted data are login credentials, credit card numbers, bank details, identification numbers, Social Security numbers, passwords, or PINs. These details are then exploited for criminal activities like fraud and identity theft.

Common Vishing Scams

Not only phone calls, these scams also incorporate other techniques, such as:

Deepfakes

AI has seeped into multiple industries, including voice AI or audio deep fakes. These voice impersonations convincingly mimic real voices, making them a potent weapon for fraudsters.

The first documented case occurred in 2019, when the CEO of a UK energy company wired over 200,000 euros, believing it was the parent firm.

Robocalls

These are phone calls made by computerized autodialers to deliver prerecorded messages. Cheap and easy to execute, robocalls are a popular method for scammers to trick victims into revealing personal data.

This method is easy to detect, especially because the voices don’t sound as humane.

Tech Support Calls

Scammers posing as tech support personnel from large companies like Microsoft, Amazon, or AT&T. They call, claiming to have detected a harmful virus on your device or alerting you about an important, urgent software update.

Their goal? To trick you into revealing personal information or granting remote access to your device.

Client Call

In this vishing scam, attackers pretend to be business clients or customers. They may request urgent payments, such as asking for an invoice to be paid immediately. This way, they will steal company funds.

VoIP Vishing

VoIP, or Voice over Internet Protocol, enables caller ID spoofing. This trick allows scammers to customize the display name on their caller IDs, and it is easy to trace as they use virtual numbers.

Caller ID Spoofing

Like VoIP, caller ID spoofing involves intentionally altering the information displayed on a victim’s caller ID. Scammers hide their identity or impersonate someone else, making calls appear legitimate.

They might appear as a bank representative, hospital, government, or other legitimate organizations. Sometimes, they might also appear as “Unknown”. 

Dumpster Diving

This is a low-tech attack in which cybercriminals search through physical trash to find discarded sensitive information. They collect documents or data that individuals or offices carelessly throw away.

Even digital waste (e.g., discarded storage devices) can be a source of information. Later, this information can be used to support their future vishing attacks.

What are the Signs of Vishing?

Being aware and alert of vishing attacks requires you to notice these signs:

Aggressive Call Tactics

Vishing calls use phrases like ‘urgent account problem’ or ‘suspicious activity detected’ to create urgency or fear.

Beware of hasty reactions—legitimate institutions won’t pressure you to act in a hurry.

Using Publicly Available Information

These scammers use information from public resources, such as your social media accounts, to make the calls appear more believable.

At a glance, these calls might sound personalized, hence the familiarity with general info about you. However, knowing your public information doesn’t confirm the authenticity of the caller.

Spoofed Phone Numbers

Scammers often use phone numbers that appear similar to trusted businesses or institutions. Be cautious, even if the caller ID shows a local number or familiar company name.

Unexpected Sensitive Data Requests

Vishing aims to steal sensitive information (passwords, PINs, etc.). Real organizations won’t ask for such details via unsolicited calls.

Examples of Vishing

These are some of the most common real-life vishing case examples to help you become familiar with each one.

Bank Impersonation

Scammers pose as representatives from your bank, claiming urgent account issues or suspicious activity. They pressure you to reveal personal information, such as account numbers or PINs.

Always verify such calls independently using official contact details.

Tech Support Fraud

Impersonators pretend to be tech support agents from reputable companies (like Microsoft or Amazon). They claim your device has a virus or needs an update.

They aim to trick you into granting remote access or sharing sensitive data.

Telemarketing Attack

Scammers call, pretending to offer products, services, or investment opportunities. They manipulate emotions, create urgency, and pressure you to make quick decisions.

Be cautious—legitimate telemarketers won’t use aggressive tactics.

Government Representative

Pretending to be a government representative, these attackers will ask you to provide personal identification numbers or other account information. Sometimes, they may even threaten you if you refuse to provide it.

If their words imply a threat, it is most likely not a real government representative.

What’s the Difference Between Phishing, Vishing, and Smishing?

These three terms often confuse people. While they seem similar, there are some differences.  

• Phishing: This is the general term for this attack. It often occurs via emails or social media, where malicious attachments or links are sent, urging victims to share private information.
  
• Smishing (SMS Phishing): It involves text messages that impersonate trustworthy sources like banks or legitimate companies, often accompanied by fake links leading to fraudulent sites aimed at stealing sensitive data.
  
• Vishing (Voice Phishing): Vishing occurs over phone calls. The attacker poses as an organization representative, convincing victims to take specific, immediate actions.
  

Best Practices to Avoid Vishing Attacks

To avoid falling victim to this attack, please follow these best practices:

• Verify the legitimacy of the caller independently.
  
• Avoid payment via gift cards and wire transfers.
  
• Avoid confirming your personal info.
  
• If someone creates urgency out of the blue and insists you call back immediately, take a moment.
  
• Research and verify using official contact numbers.
  
• Familiarize yourself with your bank’s communication practices.
  
• Listen for anomalies in the caller’s voice.
  
• Understand how companies handle account-related issues over the phone.
  
• Ask follow-up questions about the caller’s identity.
  
• Utilize protection features in your device.
  

Frequently Asked Questions

Conclusion

Vishing remains a persistent menace to the current cybersecurity status. Whether it’s a call claiming to be from your bank, a warning of suspicious account activity, or an urgent request for personal information, vishing scams continue to catch unsuspecting victims. With the detailed explanation above, you can stay one step ahead of these sneaky scammers. 

Remember to verify independently, avoid urgent payments, and be cautious of deep fake voices. If you want to know more, Fluxgate is here to assist with further cybersecurity guidance. Contact Fluxgate for expert advice!