Nearly half of infosec professionals reported experiencing vishing or smishing in 2018
Vishing. Phishing. Smishing. These terms sound like something a child made up and then decided to make the other two rhyme. But as you likely already know (or will soon discover), vishing, phishing, and smishing are very real and very dangerous threats to businesses and individuals alike.
When we talk about phishing, for example, many people think of the word in terms of scams that cybercriminals use to obtain sensitive information via email. And they would be right — but that definition only describes one part of a much bigger picture. That’s because phishing isn’t limited to email alone. There’s also voice phishing, or what’s referred to as “vishing.” There’s “smishing,” which uses SMS/text messages as an attack vector (which we’ll discuss more in a future article). Other forms of phishing include spear phishing, HTTPS phishing, CEO fraud/business email compromise… the list goes on and on.
For this article, though, we’re just going to focus solely on vishing. But what is vishing and what does it mean for you personally and professionally? Let’s deep dive into the world of voice phishing. We’ll talk about what it is and how it works, we’ll provide some examples of common vishing attacks, and what you can do to protect yourself and your business.
Let’s hash it out.
Breaking Down Voice Phishing: What is Vishing?
Vishing, or voice phishing calls, are a form of scam that aims to get prospective victims to share personal or financial information. Scam calls have risen significantly over the past couple of years. In 2017, scams represented only 3.7% of all incoming mobile calls. In 2018, that number reached nearly 30%.
Research from First Orion indicates that:
“…scammers are now using personal information to target consumers directly by impersonating legitimate companies to swindle money. In fact, 75% of victims report that scam callers had their personal information and used this to extract additional data, leading directly to a financial loss.”
Phone phishing refers to phone calls from people who are pretending to be from the government, a reputable company or organization (enterprise spoofing), or even a family member who needs help (relationship fraud). To get victims to share personal and financial information, they use social engineering tactics — psychological and social methods of manipulating or tricking users — and the victims’ own emotions to get them to provide information or to perform a specific action.
We could get into the explanation of how, at their core, these attackers are using the innate fixed action patterns and stimulus response we have as human beings against us, but that would be going to a rabbit hole that would require a lot more explanation.
So, here’s the simplest way to understand what voice phishing is and how it works: A malicious actor aims to get you to comply with what, under normal circumstances, would be considered unrealistic demands (providing your personal or financial information). They do this by creating a situation that creates an emotional response such as fear, urgency, curiosity, or even excitement. The actor establishes themselves as an authority — either someone who can help you fix the problem or can benefit you in some way. After all, a you’re a lot more likely to share your personal information with someone when you think that you’re about to lose a lot of money or have won a significant prize such as the lottery.
While vishing often targets individuals, it isn’t a consumer-only problem. Voice phishing also targets businesses as well to get employees to provide account information. Here’s a reconstruction by Get Safe Online of an actual vishing phone call to a small business in which a visher attempts to gain access to the company’s confidential account information to commit fraud:
The Nitty-Gritty: Who Does the Vishing and How Do They Do It?
Vishing can be performed in several ways. These calls can have a real, live person on the other end of the phone line who is trying to scam you, or they can be fully automated where you’re dealing with a robot only. Some types of voice phishing calls are even a hybrid of the two — where you’ll receive a call from an automated system that will then have a real person step in to take over the call.
Thanks to a newer technology known as a deep fake, there’s now a new and terrifying voice phishing scam that is on the rise: artificial intelligence-based vishing. For a recent example of how this technology can be used for vishing, look no further than an unidentified UK-based energy firm that was recently scammed out of $243,000. A malicious actor used voice generation software to impersonate the voice of a German executive who works at the UK firm’s parent company (which is located in Germany) to get the UK firm’s CEO to transfer the money to a Hungarian supplier with the promise that the funds would be reimbursed immediately.
Most vishing calls are typically made using voice over internet protocol (VoIP) technology in conjunction with caller ID “spoofing,” it makes them virtually untraceable. Because of this, it’s even more challenging for law enforcement to try to clamp down on these crimes and catch those who are responsible for committing them.
Vishing by the Numbers
Research from the FBI Internet Crime Complaint Center’s (IC3) 2018 Internet Crime Report indicates that “phishing/vishing/smishing/pharming” accounted for 26,379 victims and $48,241,748 in losses in 2018. Keeping in mind, however, that these numbers only represent the victims who reported the crimes. It doesn’t include others who may not have reported the crimes or are not yet aware that they were scammed in the first place.
There’s no doubt that voice phishing is on the rise. ProofPoint’s 2019 State of the Phish report indicates that nearly half (49%) of surveyed infosec professionals reported experiencing vishing and/or smishing in 2018. Unfortunately, something else the report indicates is that the overwhelming majority of the global audience is highly unaware of what vishing is. Only 18% could accurately identify vishing — another 19% were incorrect in their understanding of it, and a full 63% indicated that they had no clue as to what vishing entails.
The last sentence is particularly troublesome considering that phishing phone calls affect so many people each year. What makes things worse is that these malicious actors and their tactics are becoming more and more clever every year.
Breaking Down Voice Phishing: 4 Common Vishing Examples
There are many types of voice phishing that exist. Here, we’ll break down four of the most common vishing scams:
1. Telemarketing Fraud
Telemarketing is something that every person who’s not living under a rock is familiar with. This category encompasses many types of phone spam calls, including the ones informing you that:
- your vehicle warranty is about to expire;
- they’ve been trying to reach you about an interest rate reduction promotion for your credit card;
- a charity needs your help and that you can make a difference with even just a small donation;
- you have an incredible business investment opportunity; or even that
- you’ve won an all-expenses paid stay at one of Marriott’s resorts.
Yeah, you know, those calls.
These types of voice phishing scams are among the most persuasive — and pervasive — types of fraud. They typically consist of unsolicited phone calls that promise some type of “gimme” — something that the victim is going to get or benefit from in some way. These scams most frequently target seniors and elderly individuals like Carolyn Turner, who lost $40,000 in a telemarketing scheme (more about what happened to Carolyn in the video below):
According to the Federal Trade Commission (FTC), the following are a few warning signs you should be aware of that can help you spot telemarketing scams from a mile away:
- “You’ve been specially selected (for this offer).
- You’ll get a free bonus if you buy our product.
- You’ve won one of five valuable prizes.
- You’ve won big money in a foreign lottery.
- This investment is low risk and provides a higher return than you can get anywhere else.
- You have to make up your mind right away.
- You trust me, right?
- You don’t need to check our company with anyone.
- We’ll just put the shipping and handling charges on your credit card.”
If you receive any phone call from someone telling you you’ve won something, that they have a deal for you, or any other line of cow dung that leads to the inevitable question of them asking for your personal or financial information, tell them where to stick it and hang up. When it comes to protecting your personal information, remember this saying: When in doubt, don’t give it out!
2. Government Impersonations
We’re from the government and we’re here to help — at least, that’s what some vishers want you to believe.
Data from the FTC’s Consumer Sentinel Network indicates that impersonating government employees may be the favorite ruse of voice phishing scammers. The FTC reports that “since 2014, the FTC has gotten nearly 1.3 million reports about government imposters. That’s far more than any other type of fraud reported in the same timeframe. This spring, monthly reports of government imposter scams reached the highest levels we have on record.” In May 2019 alone, there was about 46,600 government imposter scams reported to the Consumer Sentinel Network.
These identity theft types of scams can come in the form of someone pretending to be from:
- The Internal Revenue Service (IRS) — This vishing scam involves a malicious actor (often from a foreign country) pretending to work at the IRS. They’ll tell you that you owe taxes and, if you don’t pay up immediately, that they’re going to revoke your license, deport you, or throw you in jail. These scams involve trying to get the victim to provide their personal information and/or buy pre-paid gift cards. Rest assured that Uncle Sam doesn’t want your supposedly delinquent taxes paid with Amazon gift cards. If you receive a phone call with this type of demand, hang up immediately. If you’re still concerned, call the IRS directly.
- Medicare — This type of scam often involves someone calling and pretending to work for Medicare. They say that you’re due to get a new Medicare card, but in order for you to receive the new card, they would need to first confirm your Medicare number (which is also your Social Security number). Obviously, this is not how Medicare operates, but people still frequently fall for this scam. If you provide your personal information, it can then be used to make bogus medical claims in your name and then the criminal pockets the money.
- The Social Security Administration — This particular scam involves someone calling and pretending to be from the Social Security Administration (SSA). They’ll feed you a line about how the SSA someone doesn’t have all of your personal information, and that they need you to confirm it for you to receive the benefits you’re entitled to. They’ll often threaten that if you don’t provide the information, then you won’t start to receive your Social Security benefits, or any benefits you already receive will be terminated. Like with the other examples we just mentioned, this isn’t how the SSA operates.
3. Tech Support Fraud
Another type of vishing scam involves people pretending to work for a tech support company. The supposed “tech support representatives” often will call and claim to be from a reputable and well-known company — they may even claim to be from Microsoft or Adobe. Frequently, this actor will inform their intended victim that there’s something wrong with their computer and that they need to give them remote access to fix it. This voice phishing tactic often involves pretending to run a diagnostic test on your machine. Their ultimate goal is to get you, as the victim, to pay for a tech support service that you don’t need to fix a problem that doesn’t actually exist. Clever, eh?
But not all tech support fraud phishing phone calls involve the criminal calling you. Sometimes, they will lure you into calling them! The way they do this is by using pop-up messages on your computer screen. These warnings, frequently designed to look like they come from your antivirus software or operating system, inform you that threats have been detected on your machine and direct you to call a specific phone number to speak with a technician immediately.
Another computer-based variation of this vishing scam involves the actor creating a website for a fraudulent tech support company and getting the site to appear in search engine results for tech support. Or, they may even run online ads that advertise their fake company’s phone number.
Either way, these scams, unfortunately, are highly successful and can lead to millions in losses. As the FBI IC3 report we mentioned earlier indicates: “In 2018, the IC3 received 14,408 complaints related to tech support fraud from victims in 48 countries. The losses amounted to nearly $39 million, which represents a 161% increase over losses from 2017.”
This brings us to the fourth and final type of voice phishing scam that we’re going to cover in this article.
4. Bank or Financial Institution Impersonations
Financial vishing scams often involve an actor impersonating your bank, credit card company, or another financial institution to get information from you. They may call saying that there are fraudulent charges on your account, or they may be calling you with a “special offer” — but you have to act now or else you’ll miss out! Either way, as with the other forms of vishing, their goal is to get you to share your personal, financial, or account credential information over the phone.
I received such a call just a few weeks ago while at work. I saw my cell phone light up with an incoming call. Since it was a number I didn’t recognize, I figured it was a spam or voice phishing call and let it go to voicemail. Within a minute, they called back a second time, then a third. This caught my attention, so I answered it. (The last time a similar situation happened, the missed calls were from my home security service provider and, needless to say, I wished I hadn’t missed the call.)
The caller addressed me by my first name and introduced herself, saying that she was from my bank and was calling about my debit card ending with the last four digits ****. She informed me that there was suspicious activity on my account and wanted to verify that the charges were, in fact, mine. Doubtful, I pulled out my purse to look for my debit card (to verify whether the numbers they listed would match my card). While I was doing this, she continued on, saying that if the transactions turned out to be fraudulent, they’d reverse the charges, close my card, and would send a new one in the mail.
The caller then asked if I was traveling in California at this time, to which I responded that I wasn’t. The woman then said that she would need to verify some information before they could continue. But the whole thing was starting to feel very suspicious, and I told her that I’d need to hang up and call the bank directly myself. Of course, she said she understood but disregarded my concern, urgently stating that time was of the essence and that we needed to act quickly to verify the charges and get my account closed, if necessary.
At this point, I’d pulled out my first debit card and asked her to repeat the last four numbers on the card. She did, and it didn’t match my card. I checked the numbers on my other debit card, and the situation was the same — the numbers didn’t match.
Realizing her scam for what it was, I asked her what bank she said she worked for. She said TD Bank. I told her nice try, but I knew what she was up to and wasn’t going to share any account information with her. She muttered something unintelligible and hung up.
To satisfy my curiosity, I decided to look up the phone number she’d called from via Google. Lo and behold, she was spoofing the bank’s real phone number to make her vishing call look legitimate.
Techniques Used in Effective Phishing Phone Calls
I’m not one to congratulate criminal elements, but I did have to tip my hat to this visher. She sounded confident and was both well-spoken and well-rehearsed in the delivery of her spiel. Her accent made her sound like she was from the Midwest region of the U.S. Her voice conveyed a sense of urgency while still sounding compassionate and understanding of the position I was supposedly in as the victim of financial fraud.
All of these are effective traits for a phone phisher. After all, their goal is to get me to trust them enough — or feel panicked enough — to provide my personal information to fix the situation as quickly as possible. Thankfully, I was able to recognize the threat for what it was and didn’t fall victim to the scam. But it’s amazing (and scary) just how quickly the whole situation occurred.
The situation I described above happened in less than a minute. I write about cyber security for a living, and I know better than to engage with scammers. But she caught me in a moment of unawareness while my brain was focused on my work — and that’s what ever scammer hopes will happen. They want to catch people like you and me off guard because we make more susceptible targets.
Here are a few things that these malicious actors aim to achieve when targeting you with phishing phone calls:
- Catching you by surprise with an unsolicited call.
- Causing you to react with an emotional response (such as fear or panic) to a fake scenario.
- Creating a sense of urgency so that the you ignore the little red flags or warning sounds that are going off inside your head.
- Getting you to trust or feel like the actor has your best intentions at heart.
- Making you feel like you’re doing the right thing or making a good decision by cooperating.
What You Can Do to Protect Yourself and Your Business from Voice Phishing Scammers
So, when you’ve got vishers hounding you each day on your cell phone or landline (yes, people still do have those), what can you do to end their reign of terror? (Aside from smashing your phone against the wall.)
There are a few ways to fight back against voice phishing. Data from a Consumer Reports survey shows that 70% of 1,002 surveyed U.S. adults said they no longer answer their phone for calls coming from numbers they don’t know. Furthermore, 62% reported letting most calls go to voicemail, and 47% registered their phone numbers with the National Do Not Call Registry.
But there are other things you and your business can do as well to fight back against vishing:
- Don’t answer your phone when you receive phone calls from unknown numbers.
- Don’t respond to unsolicited sales, marketing, or outreach messages.
- Don’t call phone numbers that are provided in online ads, pop-up windows, emails, etc.
- Register with a paid robocall blocking service.
- Educate yourself, your loved ones, and your employees about potential threats and scams. Teach them to hang up and call the person, department, or company directly using official phone numbers (such as from an official directory).
- Inform your company’s IT department about any potential scam calls or emails.
- File an official complaint with the FTC and local, state, or federal law enforcement agencies.
There’s one key thing you should always do whenever you receive an unsolicited call (especially from your bank or financial institution in particular): Hang up and call back using the phone number from an official website. For banks and financial institutions, use the phone number listed on the back of your debit or credit card. Don’t ever use the contact information that’s provided to you in an email, a text message, or through an unsolicited phone call.