Vishing which is short for "voice phishing," is a type of social engineering attack that uses telephone calls or voice-based communication to trick someone into giving up sensitive information, such as bank account details, login credentials, or personal identification information (PII). While phishing emails are more commonly recognized, vishing attacks are on the rise, often flying under the radar. Unlike other cyberattacks that target digital channels, vishing manipulates human trust through direct voice interaction, making it a powerful tool for scammers.
Vishing attacks rely on a combination of manipulation techniques to make their schemes convincing. Here are some of the most used tactics:
The attacker will create a fabricated story or "pretext" to justify the call. They might claim to be from the victim’s bank and tell them that there is suspicious activity on their account. They will try to create a sense of urgency in their pretext so the victim will respond without thinking and give up their sensitive information.
Attackers manipulate caller ID information to make it appear as though the call is coming from a legitimate source. This is done to lower the target’s defenses and make them more likely to trust the caller.
One of the most effective techniques in vishing is creating a sense of urgency. Attackers may claim that immediate action is required to prevent fraud or financial loss, pressuring the victim to act before they have time to think critically or verify the caller's identity.
Attackers will usually pose as a Customer Support worker from well-known tech companies, claiming the victim's computer is compromised. They convince victims to grant remote access or pay for fake repairs, often leading to data theft or financial loss.
In these scams, fraudsters impersonate bank representatives, claiming suspicious activity on the victim's account. The attacker asks for sensitive information, such as passwords or PINs, under the guise of securing the account, resulting in unauthorized access to financial data.
Delivery scams involve attackers pretending to be from a delivery service, claiming there is an issue with a package. The victim is asked to provide personal or payment information to resolve the issue, which the scammers then exploit for fraud.
Risks for Individuals
If you receive an unexpected call asking for personal information, such as account numbers or passwords, it’s a red flag. Legitimate organizations typically won’t request sensitive data over the phone without prior verification.
Vishing scammers often create a sense of urgency, claiming that immediate action is needed to prevent something negative, such as the suspension of your account or the loss of funds. Be cautious of any caller who pressures you to make quick decisions without verification.
Be wary of calls that ask you to confirm personal information, such as your Social Security number or login credentials, especially if you weren’t expecting the call. Legitimate organizations typically allow for alternative verification processes.
If you receive an unsolicited call asking for personal information, always verify the caller’s identity by contacting the organization directly through their official channels. Don’t rely on caller ID alone, as it can be spoofed.
Avoid sharing personal details, such as account numbers, passwords, or PINs, over the phone. Legitimate organizations will never ask for this information in an unsolicited call.
Businesses should conduct regular cybersecurity training for their employees so they can learn how to recognize vishing attempts and to establish a protocol for reporting suspicious calls.
Consider using call-blocking apps or services that filter out spam calls. Businesses can use voice authentication tools to verify the identity of callers, especially when sensitive information is involved.
We discuss a social engineering attack that tricked the victim into installing a remote access tool, triggering DarkGate malware activities and an attempted C&C connection.
Explore the latest phishing trends and email security best practices to enhance your email security and reduce cyber risk.