The State of the Vish
2024-01-23
Voice phishing, or vishing, is a tactic where a threat actor utilises phone calls to trick victims into providing sensitive, personal information by posing as their bank or other trusted organisations as opposed to scam emails that are sent out in phishing campaigns. Threat actors will look to build a rapport with their victim in order to encourage them into sharing sensitive details.
As of my knowledge cutoff in September 2021, I am not aware of any cybersecurity term or concept referred to as "The State of the Vish." If this term has emerged after that date, I would need more context to provide accurate information. However, I can provide insights into the latest cybersecurity risks, particularly focusing on phishing attacks, which are commonly referred to as "vishing" when conducted via voice calls.
In 2024, the global economy suffered approximately $400 billion in losses due to cyber outages, with a significant portion attributed to phishing attacks that led to system downtimes and financial theft.
A recent study highlighted that U.S. Fortune 500 companies incurred $5.4 billion in losses from a global tech outage caused by a faulty update in CrowdStrike's security software, which was exploited through phishing attacks to disrupt operations.
In 2024, Delta Air Lines faced significant reputational harm after a phishing-induced IT outage led to the cancellation of approximately 6,700 flights, resulting in customer dissatisfaction and a projected financial impact of $350 million.
These examples underscore the critical need for organizations to implement robust cybersecurity measures to mitigate the financial, operational, and reputational risks associated with phishing attacks.
No matter what technology is used, the setup for the attack follows a familiar social engineering script: An attacker creates a scenario to prey on human emotions, commonly greed or fear, and convinces the victim to disclose sensitive information, like credit card numbers or passwords. In that sense, vishing techniques mirror the phishing scams that have been around since the 1990s. But vishing calls exploit the fact that we're more likely to trust a human voice — and may target the elderly and technophobic who are naive and have no experience with these types of scams. Here are the latest statistics on vishing scams
Source: Beware the Artificial Impostor: A McAfee Cybersecurity Artificial Intelligence Report • 77% of AI voice scam victims lost money • More than half (53%) of all adults share their voice at least once a week online or on social media • McAfee researchers find you can clone a voice from just three seconds of audio Source: Quarterly Threat Trends and Intelligence - May 2022 (phishlabs.com) • According to the quarterly threat trends and intelligence report from PhishLabs and Agari by Fortra, vishing cases skyrocketed by 550% from early 2021 ( Q1) to early 2022 (Q1). Source: 30 Shocking Vishing Statistics in 2023 - IncrediTools • In 2022, Americans lost $68.4 million to phone scams. • 33% of Americans have reported having become a victim of phone scams. • In a 2020 State of the Phish report, 53% of global workers responded, “I don’t know” when asked, “What is vishing?” • 85% of vishing attacks from bad actors are perpetrated via free email services. • The role of AI tools in vishing attacks are being overestimated so far. • In late 2022, reports of bad actors using vishing techniques to convince their victims to install malware on their Android phones. • September 2022 statistics suggest that vishing attacks has risen by nearly 550% • 59% of Americans received vishing scam calls in 2021 regarding COVID-19. • Organisations in Spain experienced a volume of 99% in vishing attacks in 2019.
Source: What Is Vishing: Methods to Detect and Avoid a Voice Scam (securitygladiators.com)
• The FBI’s Internet Crime Complaint Center logged 241,342 victims of phishing, vishing, smishing and pharming in 2020, more than double 2019’s total of 114,702 victims.
• Only 6% of people who reported government imitation vishing scams lost money, but those who did averaged $960 in losses.
• Approximately 28% of all vishing used personal information to target victims.
• Vishing attacks have become more common in recent years. Scam calls accounted for over 30% of all incoming cell phone calls in 2018.
• Vishing, phishing, smishing and pharming cost victims $54.2 million in 2020.
According to a study by Identity Defined Security Alliance (IDSA), Phishing was the most common type of identity-related incident in 2022. The study interviewed 529 IT security and identity professionals from organisations with more than 1000 employees.
Source: Phishing remained the top identity abuser in 2022: IDSA report
No matter what technology is used, vishing calls exploit the fact that we're more likely to trust a human voice. Threat actors will look to build a rapport with their victim in order to encourage them into sharing sensitive details either by posing as a trusted source ei: banks, insurance companies, and reputable product distributors. With the recent rise of vishing tactics from threat actors, it has become more prevalent to have the resources to protect your business from vishing attacks.
The largest rise in vishing occurred between 2020 (54%) and 2021 (69%). We expect to continue seeing a rise in vishing type attacks in the upcoming years. With the general public becoming more aware of the use of phishing attacks via email, threat actors will continue shifting tactics for executing malicious attacks. While certain groups of people and certain industries experience higher volumes of vishing than others, the world population needs to take precautions to avoid this problem. If you want to take proactive steps to protect your organization, you might want to include vishing as part of a security awareness training. Keepnet Labs offer simulated vishing scenarios that can help you discover vulnerabilities in staff attitudes and demonstrate the nature of the threat to your employees.
Editor's Note: This blog was updated on November 20, 2024.