Social Engineering: What is Vishing?
Vishing is a combination of “voice” and “phishing”. It refers to phishing scams done over the phone. Individuals are tricked into revealing critical financial or personal information during seemingly trustworthy phone calls. Another form of phishing is smishing which uses SMS to phish you.
What is vishing?
Vishing is a specific form of Social Engineering, more especially a phishing attack made over the phone. Like with phishing, the victim is urged to share some confidential information because of a fake excuse created by the hacker.
Skilled scammers/hackers have everything in place to sound legitimate:
- Right information: they already have your name, address, phone number, and bank details. In fact, all the information you would expect a genuine caller to have.
- Urgency: You are made to believe your money is in danger and that you have to act quickly. Fear often leads people to act without thinking.
- Phone skills: The phone number appears as if it’s coming from somewhere else (i.e. spoofing). So, you pick up the phone already believing the caller as the number seems convincing.
- Business atmosphere: You hear a lot of background noise, so it sounds like a call center rather than a guy in a basement. The scammers either do have a call center or are playing sound effects. Everything is done to make it sound legitimate.
Consequently, if the victim falls for the scam and provides personal information, they mostly end up becoming a victim of identity theft.
Some vishing examples
Vishing scenario #1
You come home from work and check your voice mail to see if anybody has called. You play your voicemail and hear the following message:
“Hello, this is Eva from ABC Telecommunications Company. I am calling you to confirm the closing of your account. Both internet and landline connectivity to your address will be terminated tomorrow morning, May 6, at 8:00 am. Our records indicate that you have an outstanding balance. Please call our customer support at 00-… to settle the final bill payment.”
This is done to create urgency and push you to grab your phone and call the given number. Obviously you don’t want to lose your internet and landline connectivity and want to fix this before anything is cut down. You call the number right away and the ABC Telecommunications Company comes up, giving you an automated way to avoid the closure of your account. You are asked to put in your social security or National ID number and the credit card number on your account to verify that you are indeed the claimed owner of your account. After you enter both numbers, the line goes dead.
Vishing scenario #2
You’re watching TV in your living room at 8:00 pm, and the phone rings. You check your caller ID and it is your bank. You pick up the phone.
“Hello, this is XYZ bank. In the past hour there have been three unsuccessful attempts to access your account. ABC bank has locked your account to secure it and protect your private information. We are committed to making sure that your online transactions are secure. Please call our Security department at 1-800-Blah-Blah-Blah.”
You know that you have not made “three unsuccessful attempts to access your account in the past hour”; instead you have been sitting in your living room watching TV. In this case, the purpose here is again to create panic and push you to call the given number.
Therefore, you call the number and give the information asked to authenticate your identity, such as your bank account number, PIN code and National ID number.
Then, the line dies or – even worse – you are transferred to the real XYZ bank, talk to an agent, and find out that you are a victim of a vishing attack.
How and why is it so easy?
Vishing attacks are hard to trace because they ‘mostly’ use VoIP (Voice over Internet Protocol). Consequently this means they start and end a call on a computer that can be located anywhere in the world.
And how does your telecommunications company or bank come up on your caller ID when it is actually a number from an attacker? They “spoof” it. There are services out there, like Spoofcard, Burner (free mobile app), … that allow you to “spoof” your number so that whoever you’re calling doesn’t know that it’s you. You can display any number you want. As a result, this allows vishing attacks to look perfectly legitimate on a person’s Caller ID. Spoofing numbers is sometimes legal (fighting against spam, privacy, etc) and sometimes not (online fraud, ..etc) – depending on regional laws and regulations.
How to spot a Vishing attack?
As we just mentioned, recognizing the phone number is therefore not enough to ensure the validity of the phone call.
What are other ways to spot a vishing attack?
- Unless you’ve requested a phone call with a specific organization, always be cautious when being contacted by someone saying to be a part of it. Especially if they’re asking for sensitive information.
- Double-check anything. Scammers will use a fake sense of urgency to make you take bad decisions. Even if your bank is calling you to say there’s an issue with your account, take some time to call them back, using the number indicated on their website. You can also contact them by email AND on social media to have different sources.
How to protect yourself from Vishing?
- Never call the number given to you or displayed on your Caller ID (unless it’s a number from a friend, relative, etc.). Take the time to look up the legitimate number (for instance, directly from your bank website) and then call it.
- Never give out any personal information – to anyone! As a result, this actually goes for any type of request for personal information. Just FYI: Legitimate companies do not ask for your social security number, national ID numbers, credit card numbers OR PIN’s via phone.
- Hang up if you get a suspicious call. Before calling back the legitime number of the company, do a bit of research on the internet. However, most probably, other victims will already have published information about it.
- Pay attention to what you post online. Just like other social engineering techniques, hackers can use what they find online about you to make their attack more efficient. Avoid posting sensitive information such as your bank name, your exact address, …
If you couldn’t protect yourself from a vishing attack, you can report identity theft at: https://www.identitytheft.gov/
Contact the organization the scammer pretended to be as soon as possible to let them know somebody might access your personal information. They could provide specific advice to protect your account.
Use secure services such as an encrypted suite like Mailfence. We support 2FA, which is a great way to harden your account. Follow our Email security and privacy awareness course for more details on how to better protect yourself from today’s emerging cyber-threats. Education is the key to prevent Social Engineering.
And reclaim your privacy today!
– Mailfence Team