What is Vishing and how does it work

Estimated reading time: 13 minutes

Vishing is a particular type of phishing that uses VoIP (Voice over IP) technology to carry out attacks. Unlike traditional landline telephone services, with VoIP technology it is possible to carry out telephone conversations using the Internet connection.

Hackers often use VoIP in their vishing attacks because this allows them to spoof their caller ID with great ease. Posing as an employee of a legitimate entity, such as a bank, the police or a well-known company, Hackers try to obtain personal and financial information of their victims.

With the information obtained it is possible to access a bank account and empty it. Furthermore, it is possible to commit fraud, scams and other crimes using the identity of the victim. Identity theft is a crime that has been on the rise in recent years, which is another reason to inform yourself and stay alert.

Vishing: how to recognize the attack

Vishing attacks usually use automatic text-to-speech systems to redirect the victim to a telephone number controlled by the hacker, but this does not exclude the possibility that a hacker could engage in a real conversation with his victim. The information most commonly targeted by vishing attacks is bank account data. However, many times, hackers also try to obtain access credentials to well-known services such as Microsoft, Apple or Google.

Using social engineering, hackers carrying out vishing attacks trick their victims into extorting money. Generally, scammers attempt to create a sense of urgency or try to alter the emotional state of their victims. This is to force you to pay quickly and without thinking deeply about what is happening.

Vishing: common attack patterns

Vishing attacks can be different from each other, although they always have common goals. A scammer who uses this type of attack could disguise his Caller ID by pretending to be an authoritative person or any known person. They may also leave pre-recorded messages containing threats in their victims’ email inboxes. Not just emails, hackers could also exploit SMS to carry out their scams, as in cases of smishing.

Scammers usually approach their victims by posing as people of authority or exploit the victim’s personal relationships. Below you will find a list of the most commonly adopted scam schemes.

Most common Vishing attacks

Debt collection agency scam

The scammer pretends to be an official of a debt collection agency. The scammer threatens legal consequences or even arrest if the victim does not pay his debts, even if the victim actually has no debt.

Romance scams

the hacker pretends to be a love interest for his victim who he meets on a dating app or site. He or she may sometimes pose as an old flame from the past who urgently needs money for some family or medical reason.

Tech support scam

The scammer poses as a tech support employee and claims there is a serious technical problem on the victim’s computer. The scammer, in this case, uses fear and a sense of urgency to gain remote control of the victim’s computer. It will then install malware passing it off as diagnostic software. Once you gain remote control of your computer, you can access files or any personal information stored on your computer.

There are real companies that live with this type of “business” in Asian countries. Furthermore, there are known creators and white-hat hackers on YouTube who intercept these scammers and try to carry out reverse (social) engineering to trap these criminals. Some of these creators have achieved remarkable results, causing some of these scammer companies to shut down.

Business and investment scams

Scammers pose as financial experts and convince victims to pay sums of money for investments. Scams centered on cryptocurrencies have been spreading a lot lately, driven by the utopia of making a lot of money in a short time.

Charity scams

Scammers pose as members of charities to convince victims to donate to their cause. These fake organizations don’t actually do any charitable work and the money donated goes directly to the scammers. It is very common for them to use photos of children or people suffering from illnesses to appeal to the human sense of compassion.

Insurance scams

Using the information they have on the cars registered to their victims, they try to offer them advantageous insurance offers. With this strategy it is possible not only to collect other personal information on one’s victims, but also to defraud them financially if the victim decides to purchase the policy proposed by the hacker.

How is it possible to defend yourself from vishing

It is often difficult for victims to recognize vishing attempts because it is not unusual for banks and other entities and organizations to request sensitive information by telephone. Vishing attacks are increasingly sophisticated and can include pre-recorded messages and other ways to increase credibility.

We at SOD suggest several ways to detect vishing attempts, below are some strategies to adopt to recognize this type of attack. The best defense against these frauds, as in the case of phishing, is to know how to identify them immediately and not to spread any personal information by telephone, especially if the request is unexpected.

You should always be careful when using poorly traceable forms of payment such as cash, gift cards and prepaid cards. Additionally, you should pay particular attention to the characteristics of the phone call, such as the tone or accent of the person making the call or the urgency of the call. These can be alarm bells that signal the possible presence of a case of vishing.

To avoid falling victim to vishing, it is advisable to never answer calls from unknown numbers. Another useful tip is to never comply with requests from a suspicious person, such as pressing buttons when asked or answering suspicious questions.

If you are not sure about a number from which calls are received, you can always do an internet search and see if the number belongs to a service we use that is perhaps contacting us with a real problem.

In many countries, social media is used to communicate with the public. Many platforms use protection systems to verify the actual authenticity of government and banking profiles, therefore you should never trust an entity without these badges.

Conclusions

The types and mechanisms of intrusion are increasingly sophisticated. Phishing, smishing and vishing attempts are now a constant in our lives, continually putting our personal data at risk. As we have seen in many situations, data is the most valuable commodity on the internet, so protecting it must be a priority!

To concretely defend ourselves, the use of professional tools is the only safe path to take. Our SOCaaS service protects against vishing but is also a complete tool that guarantees corporate security, identifying and blocking all kinds of threats.

Additionally, SOD also organizes ethical attack campaigns to test the resilience of a company’s employees. After the attacks, the data collected is used to organize training sessions geared towards the specific characteristics of the company and the resilience shown by employees.

For information on the ethical phishing services we offer or to better understand how SOCaaS could be an ideal solution for your company, do not hesitate to contact us by pressing the button below.

Useful links:

• Social Engineering: How Hackers Scam Their Victims
• Red Team, Blue Team and Purple Team: what are the differences?
• Most recent Ransomware attacks in 2021