Keepnet Labs Logo
Menu
HOME > blog > an introduction to voice phishing

What is Vishing: Defining, Detecting and Protecting

Stay ahead of voice phishing scams with our comprehensive guide on vishing. Define what vishing is, recognize the signs, and learn how to protect yourself and your organization from these vishing attacks.

By Daniel Kelley

What is Vishing: Defining, Detecting and Protecting

Definition of Vishing

Vishing, or voice phishing, is a scam where hackers use phone calls to trick people into giving out personal and financial information. Vishing involves direct voice communication unlike traditional email phishing. Vishing, or voice phishing, is a cyberattack where fraudsters use phone calls to deceive individuals into revealing sensitive information. Recent data highlights the significant financial, operational, and reputational impacts of vishing attacks:

In 2022, vishing scams led to a total loss of $1.2 billion, with the median loss per victim reported at $1,400.

In the second quarter of 2023, the volume of vishing attacks worldwide increased by 10% compared to the previous quarter, indicating a growing operational threat to organizations.

In December 2021, nearly 470 customers of OCBC Bank in Singapore lost a combined S$8.5 million due to vishing scams, leading to significant reputational damage for the bank.

These statistics underscore the critical need for organizations and individuals to implement robust measures against vishing attacks to mitigate financial losses, operational disruptions, and reputational harm.

What is the Purpose of Vishing Attempts?

The purpose of vishing attempts can be broken down into key objectives. Here's what scammers are after:

ObjectiveExamples
Steal Sensitive InformationBank account numbers, Passwords or Personal Identification Numbers
Access and Exploit AccountsAccessing bank or online accounts, Illegally transferring funds or Making unauthorized purchases
Commit Identity TheftOpening new accounts in the victim's name or Obtaining credit or loans fraudulently
Create Urgency or FearConvincing there’s an immediate account issue, Offering fake rewards or Conducting urgent surveys

Table 1: What is the purpose of vishing attempts?

Difference Between Phishing, Vishing and Smishing

1.jpg

Phishing tricks you with fake emails, Vishing uses phone calls, and Smishing sends scam texts. All these attack types aim to steal your data. Let's explore the differences between Phishing, Vishing, and Smishing, shedding light on how each social engineering attack method operates and their unique characteristics:

Phishing: Email-Based Deception

  • Method: Utilizes phishing emails designed to mimic legitimate communications from reputable organizations.
  • Objective: Tricks people into revealing personal, financial, or login information by clicking phishing links or malicious attachments.
  • Common Signs: Misspellings, unfamiliar sender addresses, urgent or threatening language requesting immediate action.

Vishing: Voice or Telephone Scams

  • Method: Voice or Telephone scams, known as Vishing, use phone calls to either convince or scare people into giving away their personal information or money.
  • Objective: The objective is to take sensitive information or money directly from the person targeted by pretending to be an authority figure, tech support, or financial institution.
  • Common Signs: Unknown caller IDs, urgent requests for information or money, and pre-recorded messages claiming to be from official agencies to define vishing common signs.

Smishing: SMS Text Messaging Fraud

  • Method: Sends text messages that trick recipients into clicking on phishing links or sharing personal information.
  • Objective: Seeks to install malicious software on mobile devices or trick people into sharing important information by pretending to offer something urgent or appealing.
  • Common Signs: Texts from unknown numbers, messages prompting to click on links for offers, prizes, or resolving account issues.

Understanding these differences helps individuals identify and avoid falling victim to these increasingly sophisticated social engineering attacks.

How Does Vishing Happen?

2 kopyası.jpg

As the definition of vishing suggests, it happens when scammers use phone calls to trick people into giving away their personal information. Pretending to be from a trusted organization, they might tell you there's a problem with your account, offer you a reward that doesn't exist, or say they're doing a survey.

These calls often show up with fake numbers that look real, making the scam seem legit. If you think you're talking to someone you can trust, you might end up sharing details that could lead to losing money or stealing your identity.

Here's a quick look at how an example vishing attack happens:

  • The Initial Contact: You get a call. The number looks official, maybe even one you recognize.
  • The Setup: The person on the line sounds professional. They say they're from your bank, a tech company, or any organization you might trust. They've got news or an offer.
  • The Ask: Here's where they want something from you. Maybe it's your account details, your social security number, or a password. Sometimes, they'll ask you to transfer money directly.
  • The Pressure: They're probably in a hurry. They want you to act fast. This pressure is a key part of the scam, making you less likely to think things through.

Common Vishing Methods

3 kopyası.jpg

Vishing attacks have various methods to trick individuals into sharing personal and financial information. Each technique is designed to exploit different vulnerabilities, ranging from technological gaps to human psychology. Here's a closer look at some of the most common vishing methods:

  • Deepfakes: This method uses artificial intelligence and machine learning to clone a person's voice, creating audio that sounds like someone you know and trust. Attackers can mimic the voices of CEOs or family members to convince you to transfer money or share sensitive data.
  • Robocalls: These are automated calls that deliver pre-recorded messages. Scammers use robocalls to reach a large audience quickly, often pretending to be from government agencies or legal departments to scare victims into complying with their requests.
  • Tech Support Call: Here, the scammer pretends to be a tech support agent from a well-known company, claiming to have detected an issue with your computer or account. They aim to gain remote access to your device or convince you to provide personal information under the guise of fixing a non-existent problem.
  • Client Call: In these scams, attackers pretend to be potential clients or partners of your business. They may request sensitive company information or direct payments, exploiting professional trust and courtesy.
  • VoIP Vishing: Voice over Internet Protocol (VoIP) allows scammers to make calls over the internet, often from international locations, while displaying a local or trusted number on the caller ID. This method makes it difficult to trace the call back to the scammer.
  • Caller ID Spoofing: Similar to VoIP vishing, caller ID spoofing involves changing the caller ID to a familiar or trustworthy number. This tricks victims into answering the call and trusting the caller.
  • Dumpster Diving: Though not exclusively a vishing technique, dumpster diving involves searching through a person's or company's trash to find documents with personal information. Scammers can use this information to be more convincing and targeted vishing attacks.

Vishing Attack Examples

Let's look at a few real-life examples of vishing to understand how these attacks work and their impacts. Each story shows how scammers use phone calls to trick people into giving them money or personal information.

Deepfake Voice Attack on a UK Energy Company (2019)

In 2019, the boss of a UK energy company received a call from someone who sounded exactly like his boss from the German headquarters, thanks to high-tech deepfake voice technology. The scammer, using this technology to clone the voice, convinced him to urgently send €220,000 (about $243,000) to a supplier in Hungary. Believing the call was legitimate, the CEO transferred the money, only realizing later that it was a scam, leading to a significant financial loss for the company. This incident showcases the dangerous potential of deepfake technology in the wrong hands.

Twitter Vishing Scam Targets High-Profile Accounts (2020)

In July 2020, hackers targeted Twitter employees with a sophisticated phone scam, or vishing, to gain access to the company's internal systems. This wasn't an ordinary attack; the scammers managed to take over 130 high-profile accounts, including those of Barack Obama, Joe Biden, and Kanye West.

By extracting sensitive information over the phone, the hackers convinced employees to give them access. The result was a series of tweets promoting Bitcoin scams from these accounts, through which the hackers made about $110,000 before they were caught.

Hong Kong's $41 Million Vishing Scandal (2020)

In 2020, a 90-year-old woman from Hong Kong became the victim of a vishing scam, losing $41 million. She received phone calls from scammers claiming that her identity had been used in crimes in China. Posing as law enforcement, they pressured her into making 10 payments totaling $41 million. After realizing she had been scammed, she reported the incident to the police, which led to the rare arrest of a 19-year-old man involved in the scheme.

Please check out our other blog on real vishing attack examples to learn more.

What are the signs of vishing attacks?

what-are-the-signs-of-vishing-attacks.jpeg

Knowing the signs of a vishing attack can help you avoid falling for one. Here’s what to watch out for:

  • Unexpected Calls: If you get a call out of nowhere from someone claiming to be from your bank, a government agency, or any service provider, be wary. Especially if they're asking for personal or financial info.
  • Urgency: The caller presses you to act fast. They might say your account will be closed or you'll face legal action if you don't respond immediately.
  • Request for Personal Information: Be suspicious if the caller asks for sensitive details like your password, PIN, or bank account numbers.
  • Quality of the Call: Sometimes, vishing calls might have poor call quality or sound like they're coming from a long distance, despite claiming to be from a local number.
  • Spoofed Caller ID: The caller ID might look legitimate, but scammers have ways to fake these. Just because it looks real doesn't mean it is.

How to Prevent Vishing

Staying safe from vishing attacks requires caution, knowledge, and taking the right steps. Here’s how:

  • Verify the Caller: If you're unsure about a caller's identity, hang up. Then, contact the organization directly using a number you trust, like one from their official website.
  • Don't Share Personal Info: Never give out personal or financial information over the phone unless you're sure of the caller's identity.
  • Use Call-Blocking Services: Many phone companies offer services to block unknown or suspicious numbers. Taking advantage of these can reduce the number of vishing calls you receive.
  • Stay Informed: Knowing the latest vishing tactics and scams can help you recognize a potential attack before it's too late.
  • Report Suspicious Calls: If you think you've received a vishing call, report it to the appropriate authorities. This can help prevent others from falling victim to the same scam.

By keeping these signs and prevention tips in mind, you can protect yourself and your loved ones from falling victim to vishing attacks.

Protect Against Vishing Attacks with Keepnet Labs

Keepnet Labs offers comprehensive solutions to guard against voice phishing attacks. Here’s how Keepnet Labs can help you stay safe from vishing attempts:

  • Simulated Vishing Attacks: To prepare you for real-world vishing scenarios, Keepnet Labs provides simulated vishing tests. These vishing simulations are safe, controlled ways to experience a vishing attempt, ensuring you're ready to act correctly when faced with a real vishing attempt.
  • Security Awareness Training: Keepnet Labs emphasizes the importance of education in cybersecurity. They offer training modules designed to increase security awareness about vishing scams, teaching you how to effectively recognize and respond to phishing calls.
  • Incident Reporting Tools: Keepnet Labs offers tools that make it easy to report suspected phishing attempts. Quick reporting can help analyze and prevent future attacks, making it a significant part of any defense strategy.
  • Community and Intelligence Sharing: Keepnet Labs fosters a community of users and cybersecurity experts to share intelligence about new and emerging vishing threats. This collective knowledge acts as an early warning system, giving you a heads-up about scams as they develop.

Please check out the video below and learn what is vishing and and how it works.

Also, check our vishing simulation product demo and see how we test and train employees against voice phishing attacks in a safe environment.

Editor's Note: This blog was updated on November 20, 2024.

SHARE ON

twitter
linkedin
facebook

Schedule your 30-minute demo now!

You'll learn how to:
tickUse AI text-to-speech to create your vishing template, with the option to incorporate your voice.
tickEvaluate your team's preparedness for actual voice phishing attacks.
tickGenerate detailed, customized reports to analyze your employees' responses and measure your organization's security posture across other industries
iso 27017 certificate
iso 27018 certificate
iso 27001 certificate
ukas 20382 certificate
Cylon certificate
Crown certificate
Gartner certificate
Tech Nation certificate