When your phone rings, it’s sometimes hard to know who’ll be at the end of the phone call.
During a phone call, a scammer uses tactics to trick you share personal information and financial details, such as account numbers and passwords.
The scammer might say your account has been compromised, claim to represent your bank or law enforcement, or offer to help you install the software.
Such voice scams are often referred to as “Vishing”.
How Do These Attacks Work?
The setup for the attack follows a familiar social engineering script:
An attacker creates a scenario to prey on human emotions, commonly greed or fear, and convinces the victim to disclose sensitive information, like credit card numbers or passwords.
In that sense, vishing techniques mirror the email phishing scams that have been around since the 1990s. But vishing calls exploit the fact that we’re more likely to trust a human voice and the fact that the majority of people will answer their calls.
Here are two examples of a vishing attack:
Example 1: Australian taxation Office Scam –
Example 2: Lost £100,000 to fraudsters
Emma Watson, a British businesswoman who was setting up a children’s nursery, got a phone call from her bank’s fraud team.
They told her that they had stopped some unusual transactions on her account, but because it had been compromised, she had to transfer her money into some other accounts they had set up in her name.
“They were completely professional, it was a clear line, they knew my name, they called me on my landline, they used all the language,” she says.
“They were very reassuring, saying ‘I know this is a distressing time for you and I’m going to help you’.”
In fact, it wasn’t her bank calling at all, but criminals fraudulently posing as her bank’s fraud team.
Emma ended up transferring £100,000 into the fraudsters’ accounts online. Only a fraction of it has so far been traced and returned.
This type of fraud is called “vishing” where criminals persuade victims to hand over personal details or transfer money, over the telephone. They have several techniques at their disposal.
Here are other examples of Vishing attacks (non-exhaustive)
Telemarketing Attacks – Offering you “too good to be true” deal. You won the lottery. You won the new iPhone. You can earn a million dollars from a single investment. The purpose is to agitate you to act.
Government Impersonation Attacks – Similar example can come from miscreants impersonating trusted government organisations such the Police, Medicare, Social Security, and other Government bodies demanding you to hand over your personal information.
Bank Impersonation Attacks – Similar to the above Government Impersonation attacks, a cybercriminal will impersonate a bank institution and will notify you that your accounts are disabled or that there has been a failure of payments. Again, it’s all about creating urgency for you to act.
Delivery Failure Attacks – Miscreants will leave you a message notifying that your package failed to be delivered to you. Another tactic to get you at to act.
What Are Cybercriminals After?
Like most cybercriminals, they are out to steal your personal data, which they can then use to steal money, usually yours. But sometimes also your company’s.
Cybercriminals use two methods to steal this data.
They might trick you into downloading software (malicious) on your machine
Get you to do something quickly. For example, transfer money to another account or make payments.
How To Protect Yourself From Vishing?
Be suspicious of “urgent” phone call requests.
The caller is asking you to confirm your personal information. Never give out such information.
Do not believe that the other person on the other side of the phone call is real. Be suspicious anyone claiming that they are from a Government agency.
If you think it is a legitimate message, then verify. Find another way whether the story is true.
Do not respond and do not press buttons!
What is the difference between Vishing, Smishing and Phishing?
Well, they are all pretty much the same. All three use a form of social engineering attack to trick to act, but they use different mediums.
Phishing – Targeted email attacks
Smishing – Targeted text (SMS) based attacks
Vishing – Targeted voice base attacks.
At this stage, Phishing is the mother of all attacks. It encompasses around 90% of all cyberattacks.