What is Vishing?
You’ve probably heard of phishing attacks. In that case, you probably have a hint of what vishing is just by the sound of it. And indeed, the clue is in the name: vishing is a type of phishing. More precisely, it’s voice phishing.
Just like those who phish don’t catch fish, vishing cyber criminals are far from wishing you well. A couple of calls, and your bank account details can end up in the wrong hands. Luckily, you’ll be ready for such attacks once you know what to expect.
Vishing, or Voice Phishing, is a social engineering tactic that uses phone calls to deceive individuals into disclosing sensitive information, often by posing as trusted institutions.
Perpetrators employ advanced techniques such as caller ID spoofing and interactive voice response systems to appear credible, manipulating victims into handing over personal data, financial information, or login credentials.
Effective prevention measures against Vishing include maintaining skepticism of unsolicited phone calls, never sharing sensitive details over a call unless absolutely sure of the caller’s identity, and reporting suspected vishing attempts to authorities.
What is Vishing? – in-depth
Vishing scams have a relatively simple structure. You get a call from someone posing as a person from the Social Security administration or the tax office. They inform you that there’s something wrong with your account and gradually manipulate you into revealing personal details.
The next thing you know, you’ve given a complete stranger all the info they need to take money from your account. Or, even worse, you gave them the money yourself.
This scenario might sound unlikely at first. After all, you would know better than to be tricked by a phone call. And that’s precisely what most vishing victims think.
The danger with vishing scams is that cyber criminals often introduce themselves as members of a government agency or similar. Even if we think of ourselves as independent or rebellious, most people wouldn’t second-guess that type of authority. This is especially true if the caller claims to have some information about you.
Unfortunately, this is where vishing scams thrive. Scammers will usually collect some info about the victim and use it to gain their trust. If the criminals succeed in that, the attack will probably be effective.
How Does Vishing work?
Vishing scams unfold in four phases:
- Victim evaluation
- The call
- Gathering and abusing the victim’s info
A vishing scam starts with plenty of due diligence. Cyber criminals rely on personal and private information they can find on the victim, so they need to have as much of it as possible before the attack begins.
In modern times, it’s much easier to get certain personal information. Malicious people don’t even need to hack or break into the victim’s account – some social network surfing will do just fine.
While you won’t keep your bank account or credit card details on your profile, there’ll be other things a criminal could use. For instance, many social network profiles show phone numbers, occupation, and info about people’s whereabouts. Even if all that data isn’t enough to start a vishing attack, it can serve as a good foundation.
Information gathering is often done automatically via programs that “scrape” info from users en masse. However, cyber criminals can sometimes get as up-close and personal as going through someone’s trash to dig up useful info. Regardless of how they gather the data, they can use it to find suitable victims.
A vishing scam will often include phishing attacks as the initial point of contact. In that case, the criminals will send an email posing as a legitimate organization. This, often automated, message will require the victim to share contact information or take some other action.
Contact can also be initiated via text or social media messages. If the victim replies, they’ll likely be susceptible to the vishing attack. In other words, victims who engage with false emails or other messages will probably also answer calls, even from a suspicious caller.
Some vishing attacks will skip this step and simply use an automated service to make phone calls to a large number of people.
The actual phishing scam begins the moment the phone rings. Since many devices today have caller ID, scammers will use several techniques to present their call as genuine.
For instance, they may prepare the victim for the call during the phishing attack. Suppose you’ve been contacted by someone you believe is a legitimate person from a reputable company. They told you to expect a call in the next hour and that’s precisely what happens. Why wouldn’t you pick up?
Another method cyber crime employs to get people on the call is using the same local area code as the victim. People aren’t as resistant to answering such calls compared to those coming from unknown numbers and different areas.
As mentioned, vishing scammers will often identify as legitimate companies, social security representatives, or members of other government agencies. If the victim falls for the trick and accepts the scammer as a legitimate caller, the criminal will likely manage to get credit card details, info on financial accounts, or other crucial data.
Gathering and Abusing the Information
Once the scammers receive the victim’s account information and financial details, they will proceed with more severe criminal activities.
Cyber criminals can use the credit card account to make fraudulent transactions, gain access to bank accounts, and inflict massive financial damage. However, their activities likely won’t end there.
Scammers can even commit identity theft to pose as the victim, especially if they have the person’s identifying details like the social security number. Identity theft can also be used to continue the cycle of voice scams by contacting the victim’s friends and colleagues.
What Scammers Tell You
We’ve already established that voice phishing criminals will present themselves as genuine callers. They might pose as:
- Government agencies
- Members of a financial institution
- The Internal Revenue Service (IRS)
- Law enforcement agencies
- A genuine business
- Tech support
If they pose as a government agency, as is the case in IRS tax scam, the criminals will ask for your sensitive information directly. They might even demand a payment or access to your account numbers.
Similarly, they could identify as an employee of your bank or other financial institution. In that case, the criminals will often ask for your bank account information.
But vishing calls can also come in the form of tech support fraud. When that happens, the scammer will say there’s an issue with an account or one of the user’s devices. They can then get access to the victim’s computer, often through the abuse of the internet protocol (IP) address.
Phone scams can seem like less official business, too. For instance, you might get a call informing you about a prize you won, even though you don’t recall joining a contest. This type of fraud is relatively common because it relies on statistical probability: Call a thousand people and tell them they won the contest. Chances are there’ll be some who actually did sign in for it.
Vishing Examples – Common Vishing Scams
The most common techniques used in vishing attacks include:
- Caller ID Spoofing
- Dumpster Diving
Wardialing is an automated method of voice phishing scams based on a specific area code. While the method originated from finding vulnerable entry points in web servers, the technique works just as well for vishing. This technique involves an automated message supposedly coming from a reliable organization. The message will usually ask the victim to verify their account, ask for personal or financial information, or threaten the victim into contacting the scammer directly.
This is an especially dangerous technique since the criminals will use specialized software to make phone calls from seemingly legitimate phone numbers.
The phone number in question might look like a 1-800 number or one coming from a trusted institution like a police department or a hospital. This makes the rest of social engineering much easier for the scammers and the vishing call more likely to succeed.
Caller ID Spoofing
Spoofing is quite similar to VoIP in that the phone call will seem to come from a genuine government or business organization. Sometimes the phone number will be hidden or, instead of a real ID, only display something like “Police” or “Tax Department.”
In this case the phone scam can be successful if the victim never had contact with such agencies and doesn’t know what their IDs look like normally.
Dumpster diving is precisely what it sounds like. Criminals will search for sensitive information in the trash, often going through dumpsters behind businesses or banks.
While this method is much more low-tech than the rest, it can be surprisingly effective. If your phone number is listed on a discarded piece of paper, that will be enough for the scammers to get in contact and attempt a vishing attack.
What to Do if You’re Targeted by a Vishing Scam?
A large part of the defense against vishing comes from recognizing what’s happening. Here’s what to look for:
- Be careful if the caller asks you for sensitive information. In most cases, government agencies, banks, hospitals, or the police won’t request your information over the phone. Don’t give away your credit card or social security credentials during phone calls.
- Notice if the caller is using specific language that appeals to basic urges like greed or fear. When organizations conduct official business, they’ll never use such language and will instead sound impartial and reasonably distanced.
- If the caller insists on your personal information, ask them for their info instead. Then, end the phone call and check their legitimacy based on what they told you. Remember, a vishing scam relies on social engineering. Scammers likely won’t have the resources to produce a detailed false identity.
- In case the caller asks you to make a phone call or send or receive text messages, research the provided numbers before taking any action. If possible, contact those numbers from a different phone instead of your own.
- Sometimes the easiest way to avoid a vishing attack is not to have the call at all. If an unknown number is calling you, don’t answer and let the voicemail take it. And if you’re already on the phone with a suspicious-sounding caller, don’t hesitate to hang up if you notice some red flags.
What’s the Difference Between Vishing, Phishing, and Smishing?
Vishing, phishing, and smishing might sound like a silly joke but all three represent a serious danger. These are types of attacks that cyber criminals use to gain personal or financial information.
A phishing attack is probably the most well-known method. These attacks utilize fake websites, messages, and emails, usually to get the victim to click on a link. Phishing often involves malware and similar digital techniques of gaining personal information.
As a subcategory of phishing, smishing uses messages exclusively. This type of attack can be less effective than others, but fake messages are easier to set up and automate. In other words, with smishing, criminals can start the software and sit and wait while the personal information is being gathered.
By now, you should understand precisely what vishing is and how it works. Like some types of phishing, a vishing attack will involve social engineering. The defining trait of this method is that the criminals will often have a proactive approach and talk to the victim directly over the phone.
How to stay safe online:
- Practice Strong Password Hygiene: Use a unique and complex password for each account. A password manager can help generate and store them. In addition, enable two-factor authentication (2FA) whenever available.
- Invest in Your Safety: Buying the best antivirus for Windows 11 is key for your online security. A high-quality antivirus like Norton, McAfee, or Bitdefender will safeguard your PC from various online threats, including malware, ransomware, and spyware.
- Be Wary of Phishing Attempts: Be cautious when receiving suspicious communications that ask for personal information. Legitimate businesses will never ask for sensitive details via email or text. Before clicking on any links, ensure the sender's authenticity.
- Stay Informed. We cover a wide range of cybersecurity topics on our blog. And there are several credible sources offering threat reports and recommendations, such as NIST, CISA, FBI, ENISA, Symantec, Verizon, Cisco, Crowdstrike, and many more.
Frequently Asked Questions
Below are the most frequently asked questions.
Is Vishing Voice Phishing?
How to spot a Vishing Scam?
What to do if you suspect a Vishing Scam?
Author: Tibor Moes
Founder & Chief Editor at SoftwareLab
Tibor is a Dutch engineer and entrepreneur. He has tested security software since 2014.
This website is hosted on a Digital Ocean server via Cloudways and is built with DIVI on WordPress.