Social engineering attacks use the “human loophole” to get around security controls. Instead of hacking your accounts to steal your identity, they hack you. Social engineering attacks can come in different shapes and forms such as smishing, spear phishing, and vishing. Phishing attacks have become increasingly popular, but what is a vishing attack?
What is a vishing attack?
Vishing is made up of two words: “Voice” and “Phishing”.
Vishing is a social engineering attack where a malicious person contacts the victim over the phone and tries to gain their trust through social engineering practices. The goal of the attacker is to extract confidential information, extract funds or have the victim perform other harmful actions.
So vishing is basically a type of phishing attack but it is conducted via phone calls.
Vishing exploits trust
Attackers pretend to be a representative of a company that the victim trusts, such as a:
- Insurance company
- Government agency
- Police department
They try to exploit the inherent trust people have against authorities, or another entity who seem to already posses some information about them. This way the attacker lures the victim into submitting sensitive information, or have them perform some other actions like money transfer, reveal their passwords, install malicious software, grant remote access to their device.
How a vishing attack works
Let’s consider one simple vishing scenario where the attacker calls the victim and claims to be a representative from the bank.
Using a spoofing technique, they might appear to be calling from a bank-authorized number.
The scammer will state that your account has been compromised and ask for your confidential information such as your banking password, PIN, etc., to resolve the issue.
Initially, scammers get your trust by stating the correct personal information, such as your name, phone number, and address. As soon as they gain your trust, they make you feel as if there are dangers for which you should take immediate action!
Types of vishing attacks
There are many types of vishing attacks out there and one of the common ones are described through the bank example above.
Other common types of vishing attacks are:
In this type of vishing, the attacker claims to be calling from the tech support company, telling you that your device or your account has been hacked or infected with a virus. The call for immediate action, just like social engineering attacks do.
The attacker will then ask you to give them remote access to your device so they can resolve the problem. Instead, they will install malicious software on your device, steal your credentials and try to exfiltrate money from your accounts.
Impersonating the police is also a common type of vishing attack. By inducing fear and, again, a sense of urgency, they will try to convince you to give up sensitive personal details.
You might even be instructed to deposit money to the attacker’s bank account, claiming they are calling from some government agency, like the tax department.
Vishing attackers use several techniques to phish information. Here are some of the most common techniques.
- War dialing uses technology and software-driven calls to dial various numbers within specific area codes. When a victim answers the call, an automated voice message asks the person to spell out their full name and provide credit card details.
- VoIP is another easy means to create spoofed numbers and skim information over voice calls. VoIP-generated fake numbers are hard to track and are often used to imitate local phone numbers. Some cybercriminals generate VoIP numbers to appear to be coming from government departments.
- Caller ID Spoofing is similar to VoIP-based vishing, where the scammer hides behind a fake phone number and pretends to be a legitimate caller. In this technique, they inscribe their names as ‘Unknown’ and pretend to represent a legitimate caller. They mimic the number to make them appear to be from legitimate organizations such as tax departments, hospitals, police departments, etc.
What are the goals of a vishing attack?
The attacker is using the vishing attack usually towards the following common end goals:
- Make you follow a link to download malicious software
- Trick or persuade you into submitting sensitive information like your password, card PIN, bank account numbers, etc.
- Convince you to give up control of your computer or mobile device to him
How to defend against vishing attacks
Some best practices you can follow to protect against vishing attacks are:
- Don’t provide any information over the phone
- If you notice a delay of 2-3 seconds before a live person speaks, it may be an auto-dialer system
- A legitimate caller will not hesitate before authenticating their professional affiliations. A scammer, however, will be reluctant to confirm their identity, web address, and online verification details.
- Don’t press buttons or respond to prompts. If you get an automated message that asks you to press buttons or respond to questions, don’t do it. For instance, the message might say “Press 2 to be removed from our list” or “Say ‘yes’ to talk with an operator.” Scammers often use these tricks to identify potential targets for more robocalls. They also might record your voice and later use it when navigating voice-automated phone menus tied to your accounts.
- Avoid answering unknown phone calls. Let the phone ring and then go to voicemail. From there, you can listen to the message and determine if it is legitimate or not.
Real-Life examples of vishing attacks
Perhaps the most famous vishing attack was against Twitter in 2020. This attack targeted 130 verified Twitter accounts of public figures, eventually tweeting from 45 of them and wreaking havoc on well-known, public figures.
In 2020, a vishing attack targeted AT&T. The scammers pretended to be customers who were interested in changing their mobile provider. This attack compromised AT&T user passwords and financial information as well as the direct theft of money from the users’ accounts.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.