If you thought phone scams were a thing of the past that went the way of landlines, it's time to think again. Vishing (voice phishing) scams are typically carried out through a phone call or series of calls and can be just as convincing and damaging as other social engineering attacks. While all vishing attacks use phone calls, attackers may also use other vectors alongside calls for a multi-stage attack that increases believability.
Detections of multi-stage hybrid vishing attacks have increased almost 550% between Q1 2021 to Q1 2022. These attacks that use a phone call to deceive targets have become more prevalent than business email compromise (BEC), making them the second most reported response-based email threat. Like other social engineering attacks, vishing attacks are more sophisticated than ever. Attackers often use multiple techniques and vectors in tandem to increase believability, leading to a higher rate of success.
Many people mistakenly assume vishing attacks only target individuals in personal attacks. The truth is, attackers also use this approach against both individuals and businesses with costly results. To protect yourself and your business, it's important to learn more about modern phone scams, what makes them effective, and how to protect yourself against them.
What is Vishing?
A scam that is carried out with a phone call or uses a phone call as part of a multi-phase attack is called vishing. Sometimes called phone scams or voice phishing, these social engineering attacks often depend on a phone conversation to complete a transaction or verify a corresponding request. Vishing scams may feature a direct call, a message that tricks the target to call back, or a ploy to convince the target to return a phone call.
Once attackers have a potential victim on the phone, they are likely to use multiple social engineering methods to convince the target to take action. From excitement to fear, attackers use emotions to get quick responses in the spur of the moment while the victim is on the phone. To achieve this, the attacker may impersonate a bank professional, a government agency (like the IRS), or a friendly brand sponsor announcing you've won a prize.
Vishing scams may be used to extort money, access sensitive data, or impersonate individuals to gain power or benefits. The attack typically begins with a phone call that appears to come from a local caller. The caller may leave an urgent voice message, hang up after a single ring, or relay an urgent message when the target answers the call. In some cases, a vishing call follows a related email. Once an attacker has a potential victim engaged in conversation, they'll attempt to convince the target to share sensitive information to claim a prize or resolve a supposed problem. Alternatively, some vishing scams convince the victim to spend money in the form of a payment or deposit. Attackers are likely to show a sense of urgency and try to convince you to act quickly.
A vishing scam is designed to get you to take action while you're on the phone. The technique limits the amount of time you have to make an informed decision and is often effective in convincing victims to take actions they usually wouldn't.
How to Spot a Vishing Attack
All too often, vishing flies under the radar as a scam that is easy to detect or won't impact businesses. In reality, modern vishing scams use deceptive techniques and pressure to convince targets to take immediate action. These attackers may even seem more sincere than those who rely on digital vectors alone. While vishing attacks are well organized and easy to overlook, there are certain features that can help you recognize them and avoid becoming a victim.
Warning Signs of a Vishing Attack
Vishing scams attempt to force victims to make decisions under pressure. By learning the warning signs of these calls, you can recognize them before you get sucked in. Watch for these red flags when you receive an unsolicited phone call.
- An unsolicited call from an official source: Vishers often pretend to be calling from a government agency, financial organization, or law enforcement agency. Government agencies like the IRS are unlikely to make calls as they typically communicate exclusively through postal mail. Similarly, bank officials won't use pressuring language to get you to react.
- A caller asks for sensitive information: A caller should not ask you for personal information like your social security number. If you think the call is legitimate, you should contact the organization directly to find a solution.
- A robocall is used to deliver emergency information: An urgent situation with your bank account shouldn't be delivered in an automated message. This is the same for all legitimate businesses.
- The caller hangs up after a single ring: This is a technique designed to get potential victims to call back. It narrows down a scammer's victim pool to the people most likely to engage in a conversation.
- An offer that's too good to be true: Prize-winner attacks come in many forms. The fact that it's delivered over the phone doesn't make it more likely to be legitimate.
- The contact number is invalid: Some vishing scams begin with a text message that includes a phone number for more information. The contact number from which the message is delivered is typically a short invalid 6-digit number most often used by telecoms to send messages.
Common Tactics Used in Vishing Attacks
Attackers use a variety of techniques to deceive victims and evade detection. While you may be aware of some common scams like a caller pretending to be your bank or credit card company, there are many vishing scams out there and new ones are evolving all the time. By learning the techniques these attackers use to deceive victims, you are less likely to become the victim of a vishing scam. These are some of the tactics commonly used by vishers.
- VoIP and caller ID spoofing: Voice over Internet Protocol (VoIP) technologies enable users to make phone calls over the internet with a custom phone number. Hackers use these services to convince targets they're a local caller.
- Urgent voicemails: An urgent voicemail left by an attacker may suggest your bank account has been compromised, you owe money to the IRS, your company network has been compromised, etc. When you call the number from the message, an attacker will be waiting to take your personal information like bank account details or login credentials.
- Information theft before the attack: High-level attacks take considerable planning which might include mining for information to create a false sense of familiarity. These attacks can be particularly hard to detect since the attacker will have information that seems personal.
- An attack that begins with an email: To appear more convincing, an attacker may use multiple vectors of attack. Instead of leaving an urgent voicemail, an attacker sends an email, then follows it up with a phone call. While this tactic may seem like a convincing verification, don't fall for it. Attackers can often find multiple contact points through public information or stolen data.
- VPN campaigns: Attackers create employee profiles with social engineering attacks. Then, masquerading as an IT professional, the attacker instructs victims to sign into a new VPN page. This provides hackers with direct access to the users' sign-in information which they then use to access organizational networks.
Tips for Responding to a Call
Vishing attacks depend on real-time communication to convince victims to take action quickly. This is why it's important to avoid reacting immediately to a suspicious call or voicemail. If you receive an unsolicited call with an urgent message or unusual request, take these steps to avoid becoming the victim of a vishing attack.
- Don't respond immediately to voicemails. If you think the call is legitimate, contact the company directly instead of using the number provided in the message.
- Delay action. If a caller is seeking sensitive information, payment, or funds transfer, hang up. If an issue really needs to be resolved, you can find another contact method and take care of the situation in a timely manner.
- Never provide sensitive information over the phone to an unsolicited caller. Every legitimate business will have another way for you to make contact and take care of business transactions.
How to Avoid a Vishing Attack
Vishing scams prey on targets most likely to engage in a phone conversation. Avoiding these calls completely is the best way to prevent falling victim to a convincing attack. Unfortunately, vishing communications may not always be easy to recognize. Take these steps to avoid vishing scams.
- Use caller ID. Your phone alerts you to the number calling you. If the call isn't from a known sender, ignore it.
- Don't answer a call from an unknown number. Let all unknown calls go to voicemail. Often, a scammer will immediately call back if you don't answer. Don't fall for this trick. A legitimate caller will leave a message regarding important issues. Note that scammers often leave pre-recorded messages as well. Make sure to properly vet the message to make sure the call is from a valid source.
- Never give personal information over the phone. Banks and government institutions should never ask for your personal information over the phone. While banks actually do contact account holder when they believe fraudulent activity is occurring, they will typically only provide an alert. They won't ask for information in a call you receive from them. If you're asked for personal information, let the caller know you'll provide it in a return call, and don't use call-back numbers provided in the call.
- Always take the time to verify a caller's identity. If you receive a call from your bank or another business or organization, verify the caller's identity before taking any action. Explain to the caller that you will resolve the issue in a return call. Find official contact information for the organization and follow up to ensure any unsolicited call is legitimate.
- Report suspicious calls to the appropriate authorities. Local law enforcement agencies and federal organizations like the Federal Trade Commission work to eliminate scams. By reporting suspicious calls, you can provide new information to help protect other potential victims of these attacks.
Tips for Businesses
- Update employee awareness programs. Awareness is your business's best defense against any type of social engineering attack. Update employee education and awareness with simulations that help employees spot vishing.
- Use tools to block automated calls. Block attacks before they reach their target with tools designed to block robocalls. Many attackers use automated calling to contact many potential victims at once. Blocking these efforts can weed out some attacks.
- Adopt multi-factor identification: By requiring multiple identification sources, you can prevent attackers from accessing sensitive data with a single set of stolen login credentials.
- Invest in a layered cybersecurity solution. Cybersecurity tools that identify attacks at every stage throughout your network are the best way to prevent discreet attacks. A layered cybersecurity solution like XDR provides a variety of protective measures to identify and halt suspicious behavior if an employee falls victim to a convincing attack.
Take Caution to Protect your Personal and Business Assets from Vishing Attacks
While some phone scams are easily detected automated messages that are obviously fraudulent, many are convincing calls from sophisticated criminals prepared to convince victims to give up their hard-earned money. Personal phone numbers and even internal business lines are not completely private. From data leaks to public information, there are a variety of ways hackers can gain access to phone numbers and other personal information. Vishing is on the rise, and any call or message you receive could come from a scammer.
Learning about vishing attacks and how to identify and avoid them is the first step to evading such an attack. Sharing information is also key. Share this information with your friends and family to help spread awareness of this growing crime. By spreading information about the common forms of vishing attacks, you can help protect the victims most likely to be targeted by these attacks.
Vishing attacks can have particularly devastating consequences when launched on a business. These attacks are commonly used to steal login credentials, passwords, account numbers, and proprietary data. They can also lay the groundwork for launching other attacks like data theft, the delivery of ransomware, fraud, or cyber extortion. If you're concerned about your vulnerability to vishing attacks, we can help. Contact the experts at BitLyft to learn more.