What Is Vishing? Definition, Methods, and Prevention Best Practices for 2022

Vishing is a cybersecurity attack where a malicious entity contacts the victim over the phone and tries to gain their trust through social engineering practices to elicit confidential data, extract funds, or harm the individual in any other way. This article explains the meaning of voice-based phishing or vishing, common methods, and helpful prevention tactics. 

What Is Vishing?

Vishing is defined as a cybersecurity attack where a malicious entity contacts the victim over the phone and tries to gain their trust through social engineering practices to elicit confidential data, extract funds, or harm the individual in any other way. 

It is essentially a type of phishing attack conducted via voice mediums – which is why it is called a vishing attack. 

Vishing frequently occurs in the form of an urgent or disturbing phone call. For instance, the caller might claim that the victim’s account was hacked, and they require a PIN number to validate their identity or reopen the account. They may also claim to be calling on behalf of a government body, such as the Internal Revenue Service (IRS) or the Social Security Administration. They may even insist that the victim owes money or has won a contest. 

All these are instances of “vishing” (as discussed, a phrase that blends “voice” and “phishing” to indicate a phone-based fraud). Phishing is a term used to describe any effort by cybercriminals to deceive people into giving up money, personal details, or secret information. Similarly, one can also use email and short messaging or texting systems (“smishing”) to commit fraud.

Vishing is a cybercrime in which criminals utilize victims’ phones to extract information that would either be damaging to the individual or beneficial to the perpetrator somehow. Cyber fraudsters use sophisticated social engineering techniques to convince victims to give over personal data and even access to bank accounts or trade secrets. Like smishing and phishing, vishing focuses on persuading victims that agreeing to the caller’s demands is the appropriate response. Callers often impersonate government authorities, the tax office, the victim’s financial institution, or the police.

The success of this tactic hinges on effective social engineering – i.e., exploiting one’s psychology to create a convincing effect. Vishing perpetrators employ either threats or positive persuasion to make victims feel that they have to supply the requested information. Victims may also be targeted through threatening voicemails, telling the receiver that they are at risk of being prosecuted or having their bank accounts frozen if they do not call back right away.

See More: What Is Phishing? Definition, Types, and Prevention Best Practices

How does vishing work?

Phishing attackers often use caller ID spoofing to trick victims into believing a phone call comes from a reputable business or a local neighborhood code. They frequently act as trustworthy entities to trick victims into sharing their details. For example, they could appear as a bank or credit card agency executive, a creditor, or an IRS agent. These scammers will generate a feeling of urgency when the intended victim answers the phone to take advantage of their sentiments and compel them to respond to demands. 

Vishing can be of different types, but the goal is always the same – to deceive the victim and make them reveal personal information, whether it be for monetary benefit or to commit other crimes such as identity theft. 

Despite advancements in digital technology, phone-based vishing attacks are still used by criminals since they know that speaking swiftly and convincingly can catch many individuals off guard. Though some of these ploys are obvious, others are clever enough to confuse even the most vigilant individuals, mainly when the caller implies that immediate action is required.

One of the reasons why these attacks can be persuasive is that fraudsters may utilize personal information obtained from other sources to make vishing attempts appear legitimate. They also duplicate phone numbers belonging to well-known businesses, making them seem real on incoming calls. They may even earn your trust and breach security systems by imitating contact center workers.

See More: What Is a Spear Phishing Attack? Definition, Process, and Prevention Best Practices

Types of Vishing

Perhaps the most important guideline to remember is that one should never reveal personal or business information over the phone. One should be aware of the different types of vishing attacks that cybercriminals typically employ. 

1. Wardialing

Wardialing uses various types of technologies to automatically dial a large number of phone numbers in quick succession, usually to uncover flaws in security and IT infrastructure. Hackers frequently employ wardialing tools to find unsecured modems, sometimes known as “wardialers” or “demon dialers.” It takes very little time to do this if the fraudster pins down the list of numbers that are connected to modems. 

Hackers utilize a variety of tactics to achieve their goals, and one of the most well-known procedures used by these professionals is wardialing. The personally identifiable information (PII) revealed by wardialing is used by hackers for various purposes. 

2. VoIP-based attacks

The transfer of voice and multimedia content via an internet connection is known as voice over internet protocol (VoIP). Users can make voice calls using VoIP via their computers, smartphones, other digital platforms like VoIP phones, and web real-time communication (WebRTC) enabled sites. VoIP is a technology that is beneficial to both individuals and businesses since it often contains additional capabilities not seen on traditional phone systems. It is also helpful to companies as a means of unifying communications.

Unfortunately, VoIP can be exploited by fraudulent individuals to initiate vishing attacks. The attacker registers a domain and creates phishing pages that resemble the organization’s network login page. As a result, VoIP calls initiated by the threat actor appear to originate from the same network. Further, since VoIP often requires multi-factor authentication, the caller can ask a victim to visit the fraudulent page and share their details. For this reason, the FBI issued a notice in January 2021 warning employees specifically against VoIP-based vishing attacks.  

3. Caller ID spoofing

Spoofing occurs when a caller purposefully falsifies information sent to your incoming call display to conceal their identity. Fraudsters frequently utilize the “neighbor spoofing” technique to make a caller ID appear from a local number or spoof a corporation or government institution that the victim may already trust. If one responds to such a call, the attacker attempts to steal funds or essential data, which may be utilized in fraudulent activity. Scam scripts constitute a significant part of caller ID spoofing attacks as they further reinforce the belief that the caller is legitimate. 

4. Dumpster diving

Digging through dumpsters – both physical and digital – belonging to banks, business buildings, and other institutions is an easy and popular means of gathering the contact information of vishing victims. Criminals may collect enough information from shredded documents, discarded storage devices, old calendars, photocopies, etc., to carry out a focused spear vishing assault on the subject. This is because the information from dumpsters may aid in social engineering – which is essential to the success of any phishing attack. 

Aside from the four basic vishing strategies discussed above, another variation also involves employing pop-up windows on PC screens to warn operating system users about technical issues. The user is told to call “Microsoft Support” or an equivalent and is provided a phone number to do so. This puts them in touch with the threat actor, who then communicates with them using a mix of automated and live voice replies to carry out the vishing attack.

See More: What Is a Phishing Email Attack? Definition, Identification, and Prevention Best Practices

Common Vishing Methods

Now that we have discussed the key types of vishing let us look at some of the common methods employed by such attackers. 

1. The bank impersonation method

The imitation of a bank, insurance provider, or credit union to get money, securities, or other assets owned or controlled by the banking institution or to acquire money from depositors is referred to as vishing via bank impersonation. 

This is a common method as customers tend to trust their banking providers and have long-standing relationships with them, making them willing to share confidential information. Even if one does not give out credit card details and PINs, the victim may share other information like employment data – which is equally risky. That is why banks recommend that customers do not conduct transactions telephonically and use apps or websites instead. 

2. Vishing masquerading as tech support 

A technical assistance scam, also known as a tech support scam, is a sort of vishing attack in which a con artist claims to provide legitimate technical services and solutions. The user is asked to contact fraudsters through various methods, such as bogus pop-ups that appear to be problem alerts or phony helplines offered on scam sites. 

Technical assistance fraudsters utilize social engineering and a range of confidence-building methods to convince their victims that their machine, system, or mobile device has issues, such as a virus infestation when there is none. The attacker will then persuade the victim to spend money to address the imaginary “issues” they claim to have discovered. In some cases, attackers mimic a company’s IT department to obtain access to information that will allow them to break into corporate systems. 

3. Vishing in the form of unsolicited investment and loan offers

Scammers frequently call their victims and offer appealing solutions, such as instant debt relief or get-rich-quick schemes. These deals usually demand prompt action in exchange for a fee. Even from a reputable lender or investor, unsolicited communication is best avoided, as are too hopeful offers. This vishing method taps into a person’s natural tendency to alleviate or improve their financial wellbeing and may exploit information obtained from dumpster diving to make the attack seem more credible. For example, discarded receipts outside an ATM may help attackers create realistic scripts that refer to a person’s actual financial condition. 

4. Social security and Medicare vishing attacks

Scammers frequently pose as Medicare or the Social Security Administration (SSA) officials, as these are essential services applicable to a vast audience. Impersonating a business makes the scam relevant only to a small group of customers, while Medicare or SSA is relevant for all. The caller may attempt to extract personal information like Medicare details or social security numbers under the threat of suspending or terminating benefits. 

5. Telemarketing vishing attacks

An attack that involves threat actors impersonating businesses, salespeople, or marketers is referred to as telemarketing fraud. The caller tries to lure victims with attractive products, discounts, contests, and exclusive offers, which are usually timebound. This is generally performed using one of two ways: offering products or services in return for money and failing to deliver, or greatly exaggerating the goods or services supplied.

6. Calls from a government representative

Scammers frequently pose as government officials to get the call recipient to donate money or provide personal details. They may either promise deductions or other benefits if you pre-pay tax or additional charges. Or, they may threaten you with imprisonment or legal action if you do not pay a fictitious bill. The call may seem to come from the Inland Revenue Department, a fictional FBI agent, or even someone impersonating the local prosecutor’s office. 

See More: DNS Spoofing: What It Is and How to Fight Back  

Preventing Vishing Attacks: Top Eight Best Practices for 2022

Once a person falls prey to a vishing attack, it is difficult to reverse its effects and recover the damage. Even if law enforcement identifies the culprit, getting compensation in lieu of damages is challenging. That is why it is crucial to take proactive measures to prevent vishing attacks by following these best practices: 

1. Leverage a VPN connection

A virtual private network (VPN) protects information shared over the internet and makes it difficult for fraudsters to get hold of your contact information. The VPN will encrypt network traffic and send it over a secure tunnel before reaching a VPN server that masks your IP address. As a result, threat actors will not know your location, making it challenging to execute social engineering attacks. The intended victim can simply ask the caller about their location to check if the call is legitimate. 

2. Sign up for the “Do Not Call” registry

This is a simple method of avoiding unsolicited phone calls. The National Do Not Call Registry in the U.S. (or its equivalent in your region) was created so that callers do not have to avoid telemarketers individually. Instead, they can implement a blanket blacklist that will block all unsolicited or unrecognized calls. 

However, the user will continue to receive calls from the companies with whom they do business regularly. Therefore, if a fraudster impersonates such a business, one would not be 100% immune. This best practice provides the first line of defense against vishing attacks. 

3. Keep an eye out for “urgent” calls 

When a caller creates a feeling of urgency, it should be considered a red flag. For example, vishing perpetrators may try to convince the victim that there could be negative consequences if they do not really hand over banking details or pay an unpaid bill immediately. Another common ruse is when a caller claims that one’s computer is infected with a virus or that it is infecting other machines on the corporate network.

One can either hang up or ask for the caller’s contact information and mention that they will call back later. If it is a fraud, the caller will typically apply additional pressure or hang up.

4. Check the time of day when the call occurs 

Scammers typically try to imitate a company familiar to the victim, but they may operate out of a different time zone or may not know about the company’s working hours. One should keep in mind that if an organization calls you genuinely, they will only do so during work hours.

They are also likely to share a call transcript or follow-up feedback survey to reinforce the relationship. Calls during unusual hours, without context, are warning signs that will help prevent vishing attacks. Further, in an unexpected phone call, an organization or your company’s IT team will never seek access to your computer.

5. Make use of robocall blocking tools 

Robocall blocking tools, popularly known as call filters, are software tools that detect automated calls. If a third-party entity has employed wardialing techniques, the robocall blocker will immediately identify and block it. Several telecom carriers offer robocall blockers as part of their value proposition. For example, Verizon’s Call Filter Plus costs $8 per month and blocks spam and high-risk calls. It is advisable to choose a paid tool, as robocall blockers may collect information, and one should only opt for legitimate tool providers.  

6. As a rule, do not respond to unfamiliar phone numbers

Fraudsters do not always utilize a single source to contact their victims. Blocking phone numbers may not always be practical. If they dial your number from several different VoIP services and attempt to grab credentials, one has to be vigilant at all times. The most straightforward approach to avoiding situations like these is never to accept unknown calls in the first place.

Avoid answering the phone or canceling the call if you see an unusual number. Try to employ your two-factor authentication mechanism by asking the caller to verify their identity over text or social media. 

Further, IT professionals should regularly scrutinize their company’s VoIP apps for unauthorized or unexpected access and activity. Authenticated user access logs should be checked and audited, and call logs should be monitored for unusual (e.g., after-hours) interactions. 

7. Offer and undergo anti-social engineering training 

Education and awareness is often the best protection against social engineering-related cybersecurity attacks. One can proactively research vishing incidents and learn from other people’s experiences of how scammers affected them or how they reacted to the incident. It will assist you in assessing individuals that have been impacted and the extent of the damage. 

Organizations, too, should offer training as part of their internal cybersecurity awareness campaign. Users should be aware of the psychological vulnerabilities an attacker would target and avoid engaging in such conversations. Companies can simulate vishing calls in a safe environment to train employees on the most suitable reaction and response. 

8. Enforce a zero-trust policy 

Zero trust is not only a cybersecurity measure that enforces least privilege access to company data and systems. It should be a driving factor for an organizational culture so that teams and individuals authenticate a person’s identity before sharing information with them. To achieve this, organizations can create zero trust policy documents and manuals that cover telephonic conversations. 

See More: Top 10 Anti-Phishing Software in 2021

Takeaways 

Vishing is one of the oldest strategies employed by fraudsters, predating the digital era. Now, with the proliferation of data and network-based communications, it is easier for attackers to emulate legitimate calls. However, one can avoid falling prey to vishing by staying vigilant in their personal and work lives. By subjecting every telephonic interaction to scrutiny and never sharing confidential information on the phone, it is possible to bypass such attacks.  

Have you encountered a vishing attempt recently? Tell us about your experience on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you! 

MORE ON SECURITY

• 10 Best Data Loss Prevention (DLP) Tools for 2021
• Top 10 Open Source Cybersecurity Tools for Businesses in 2022
• Top 11 Malware Scanners and Removers in 2021
• Top 10 Endpoint Detection and Response Tools in 2022
• 10 Best Password Managers for 2021