The State of the Vish
Voice phishing, or vishing, is a tactic where a threat actor utilises phone calls to trick victims into providing sensitive, personal information by posing as their bank or other trusted organisations as opposed to scam emails that are sent out in phishing campaigns. Threat actors will look to build a rapport with their victim in order to encourage them into sharing sensitive details.
Legitimate services like Voice Over IP (VoIP) may be used by threat actors to conduct such schemes. The use of VoIP makes it easier for actors to create fake numbers that are nearly impossible to track. In some instances, services may have capabilities to allow actors to create numbers local to the victim’s location to make them look more realistic. Actors may also use a method known as Caller ID Spoofing to display a number or identity of an individual or organisation that the user already knows and trusts.
No matter what technology is used, the setup for the attack follows a familiar social engineering script: An attacker creates a scenario to prey on human emotions, commonly greed or fear, and convinces the victim to disclose sensitive information, like credit card numbers or passwords. In that sense, vishing techniques mirror the phishing scams that have been around since the 1990s. But vishing calls exploit the fact that we're more likely to trust a human voice — and may target the elderly and technophobic who are naive and have no experience with these types of scams. Here are the latest statistics on vishing scams
Source: Beware the Artificial Impostor: A McAfee Cybersecurity Artificial Intelligence Report • 77% of AI voice scam victims lost money • More than half (53%) of all adults share their voice at least once a week online or on social media • McAfee researchers find you can clone a voice from just three seconds of audio Source: Quarterly Threat Trends and Intelligence - May 2022 (phishlabs.com) • According to the quarterly threat trends and intelligence report from PhishLabs and Agari by Fortra, vishing cases skyrocketed by 550% from early 2021 ( Q1) to early 2022 (Q1). Source: 30 Shocking Vishing Statistics in 2023 - IncrediTools • In 2022, Americans lost $68.4 million to phone scams. • 33% of Americans have reported having become a victim of phone scams. • In a 2020 State of the Phish report, 53% of global workers responded, “I don’t know” when asked, “What is vishing?” • 85% of vishing attacks from bad actors are perpetrated via free email services. • The role of AI tools in vishing attacks are being overestimated so far. • In late 2022, reports of bad actors using vishing techniques to convince their victims to install malware on their Android phones. • September 2022 statistics suggest that vishing attacks has risen by nearly 550% • 59% of Americans received vishing scam calls in 2021 regarding COVID-19. • Organisations in Spain experienced a volume of 99% in vishing attacks in 2019.
• The FBI’s Internet Crime Complaint Center logged 241,342 victims of phishing, vishing, smishing and pharming in 2020, more than double 2019’s total of 114,702 victims.
• Only 6% of people who reported government imitation vishing scams lost money, but those who did averaged $960 in losses.
• Approximately 28% of all vishing used personal information to target victims.
• Vishing attacks have become more common in recent years. Scam calls accounted for over 30% of all incoming cell phone calls in 2018.
• Vishing, phishing, smishing and pharming cost victims $54.2 million in 2020.
According to a study by Identity Defined Security Alliance (IDSA), Phishing was the most common type of identity-related incident in 2022. The study interviewed 529 IT security and identity professionals from organisations with more than 1000 employees.
No matter what technology is used, vishing calls exploit the fact that we're more likely to trust a human voice. Threat actors will look to build a rapport with their victim in order to encourage them into sharing sensitive details either by posing as a trusted source ei: banks, insurance companies, and reputable product distributors. With the recent rise of vishing tactics from threat actors, it has become more prevalent to have the resources to protect your business from vishing attacks.
The largest rise in vishing occurred between 2020 (54%) and 2021 (69%). We expect to continue seeing a rise in vishing type attacks in the upcoming years. With the general public becoming more aware of the use of phishing attacks via email, threat actors will continue shifting tactics for executing malicious attacks. While certain groups of people and certain industries experience higher volumes of vishing than others, the world population needs to take precautions to avoid this problem. If you want to take proactive steps to protect your organization, you might want to include vishing as part of a security awareness training. Keepnet Labs offer simulated vishing scenarios that can help you discover vulnerabilities in staff attitudes and demonstrate the nature of the threat to your employees.