According to ProofPoint’s 2021 State of the Phish: An In-Depth Look at User Awareness, Vulnerability and Resilience, 74% of U.S. organizations experienced a successful phishing attack in 2020 (30% higher than the global average and a 14% year-over-year increase), and 77% faced vishing attacks.
Vishing is a combination of the words “voice” and “phishing,” and refers to a phone scam designed to steal confidential information from individuals or organizations. A vishing phone call can come from an automated machine or a live person. During one of these calls, a scammer will use social engineering techniques to manipulate an individual into divulging details such as passwords, account details, or personal information.
Due to the effects of the COVID-19 pandemic, vishing incidents increased significantly over the past year, and successful attacks can have a significant impact on both the individual and organizations as a whole. We’ve detailed everything you need to know about vishing scams, how to detect them, and how to prevent falling victim to these attacks.
Common Vishing Scams
Bank Account Compromise
The scammer pretends to be from your bank and states that there’s an issue with your account, or that your account has been compromised. They’ll then request your credentials to remediate the issue. They may also leave an urgent voicemail stating that the user’s bank account could be shut down if the credentials aren’t immediately provided.
Threatening Law Enforcement
A scammer could pretend to be a member of law enforcement and insinuate that they’re trying to help the individual avoid criminal charges, but they need certain personal information to begin the process.
Impersonating Government Officials
A common tactic is pretending to call an individual from the Internal Revenue Service (IRS) and stating that there is an issue with the individual’s taxes that can be assuaged by giving the scammer confidential information. These types of calls usually spike during tax season, as vishing scammers capitalize on the stress induced by this time of year.
Software Installation
The scammer can call to inform the user of an issue regarding their computer that can be fixed with a simple software installation. This software is usually malware, and the scammer will be able to access your confidential email through this tactic.
How Does Vishing Work?
Unlike many other phishing attacks, there are fewer security technologies that can effectively detect and prevent a phone call attack. To successfully deploy a vishing scam, attackers utilize:
Wardialing
Wardialing allows scammers to call hundreds of phone numbers at once by using a software that bulk-targets specific area codes. When the victim answers the phone, an automated message (usually pretending to be from a bank, a government agency, or law enforcement) will play and urge the individual to provide confidential information.
VoIP
Voice over Internet Protocol (VoIP) technology allows malicious actors to create fake numbers that could appear to be from a trusted source, making it more likely for the victim to share their information.
Emotional Leverage
Cybercriminals turn to vishing because it’s significantly easier to convey emotion over the phone rather than in an email or a text message. Leveraging emotion and emotional vulnerability is the catalyst to successfully convincing a victim to hand over the information requested.
How to Detect Vishing & Recognize Social Engineering Attacks
Demanding Tone
Recognize if there’s a sense of frantic urgency in the tone of the caller. Scammers try to capitalize on fear and panic (i.e. surrounding legal trouble or bank account issues) to push victims to comply.
Request for Confidential Information
This might seem obvious, but a tell-tale sign of a vishing scam is if the caller asks you to supply them with information such as your name, date of birth, address, credit card numbers, or social security number.
Unexpected Governmental Agency
If the caller claims to be from the IRS, Medicare, or the Social Security Administration, but you haven’t requested to be contacted by any of the agencies, this is most likely a scam.
Strategies to Prevent Vishing
- If you don’t recognize the number, don’t answer the call. Instead, let go to voicemail and listen to the message later to decide whether to call back.
- If you suspect that the call is a vishing scam at any point, hang up and block the number. Don’t try to carry on a conversation to be polite.
- Don’t press any buttons or speak any responses to any prompts from an automated message. Scammers could potentially record your voice to navigate voice-automated phone menus tied to any of your accounts, or they might use a “press X” option to identify targets for future calls.
- Verify the callers identify before returning a call to an unidentified number. If the scammer claims to be from a certain company, search for the company’s public phone number and call that instead.
- Carefully listen to the caller and mentally flag if they’re using social engineering language that leverages fear or urgency, or “once-in-a-lifetime opportunity” language.
- Register with the Do Not Call Registry. Most legitimate telemarketing companies avoid calling numbers on this list, so if you happen to receive a call from one, it’s most likely a vishing attack.
- Don’t provide your phone number to any emails or messages asking. Report these emails to your IT support team.
Conclusion
One of the first lines of defense against vishing attacks is human awareness. Social engineering and vishing attacks can be extremely predictable, and identifying the common signs associated with these attacks can protect your personal information and the integrity of your organization.
