Vishing explained: How voice phishing attacks scam victims

What is vishing?  

Vishing is a form of attack that attempts to trick victims into giving up sensitive personal information over the phone. While that makes it sound like an old-fashioned scam, vishing attacks have high-tech elements: they involve automated voice simulation technology, for instance, or the scammer may use personal information about the victim harvested from earlier cyberattacks to put them at ease.

No matter what technology is used, the setup for the attack follows a familiar social engineering script: An attacker creates a scenario to prey on human emotions, commonly greed or fear, and convinces the victim to disclose sensitive information, like credit card numbers or passwords. In that sense, vishing techniques mirror the phishing scams that have been around since the 1990s. But vishing calls exploit the fact that we’re more likely to trust a human voice — and may target the elderly and technophobic who are naive and have no experience with these types of scams.

Vishing statistics

These notable numbers offer a sense of the state of vishing and why it can be a lucrative business for attackers. 

• Vishing attacks have been on the rise over the past few years. In 2018, scam calls represented nearly 30% of all incoming mobile calls.
• So it shouldn’t come as a surprise that this weird term is starting to be more widely recognized. Proofpoint’s 2020 State of the Phish report found that 25% of workers in their worldwide survey could correctly define the term.
• 75% of scam victims report that vishers already had some personal information about them, which they used to target them and get yet more information.
• Of people who report government imposter vishing scams to the FTC, only 6% had actually lost money — but those who did lost quite a bit, with the median loss being $960.

Vishing vs. phishing vs. smishing: What’s the difference?

Phishing is the granddaddy of them all, and CSO has a complete explainer with all the details, but in essence it involves sending targeted email messages to trick recipients. “Phish” is pronounced just like it’s spelled, which is to say like the word “fish” — the analogy is of an angler throwing a baited hook out there (the phishing email) and hoping you bite. The term arose in the mid-1990s among hackers aiming to trick AOL users into giving up their login information. The “ph” is part of a tradition of whimsical hacker spelling, and was probably influenced by the term “phreaking,” short for “phone phreaking,” an early form of hacking that involved playing sound tones into telephone handsets to get free phone calls.

Vishing is, essentially, phishing via phone calls. Just as phishing is considered a subset of spam, so vishing is an outgrowth of VoIP spam, also known as spam over telephony, or SPIT. The term “vishing” itself has been around since the late ’00s.

“Smishing” is a similar type of attack that uses text messages instead of emails or voice calls; the word is a portmanteau of “SMS” and “phishing.” For more on smishing, check out our explainer on the subject.

Vishing techniques

Almost all vishing attacks have a few things in common. The phone calls are initially placed via voice over IP (VoIP) services, which makes them easier for the vishers to automate some or all of the process and more difficult for victims or law enforcement to trace. And the attackers’ ultimate goal is to profit from you in some way — either by harvesting bank account information or other personal details they can use to access your bank accounts, or by tricking you into paying them directly.

But within the universe of vishing scams, there are a wide range of techniques and strategies. They run the gamut from largely automated “shotgun” attacks targeting many potential victims in hopes of a few bites to laser-focused scams that take aim at a specific high-value target.

Perhaps the most widespread form of vishing begins with so-called “wardialing” — that is, hundreds or thousands of automated calls to hundreds or thousands of numbers. The potential victim (or their voicemail) will get a recording meant to scare or trick them into initiating a phone call themselves back to the scammers. Often the vishers will claim to be from the IRS or some other government agency, or from a bank or credit union. The wardialing my focus on a specific area code and use a local institution’s name in hope of finding actual customers.

A variation on this technique involves using popup windows on your computer, often planted by malware, to simulate a warning from your OS about some technical problem. The victim is told they need to call “Microsoft Support” or something similar and given a phone number. This puts them on the line with the visher, who may end up using a combination of real and automated voice responses during your conversation — again, the goal here is to get the most return out of little effort.

Spear vishing

In those sorts of shotgun attacks, the vishers generally know next to nothing about you and will need to bluff their way into getting you to think they who they say they are; because of this, they can be relatively easily spotted. Much more troubling, however, are vishers who are reaching out to you specifically. This technique is known as “spear vishing”; like spear phishing, it requires the attackers to already have some data about their target. For instance, a spear visher may already know your home address and who you bank with before calling you, making it easier for them to trick you into telling them your PIN.

But how do they already know so much about you? “Much of this data comes from the dark web, which often originates from data breaches,” says Paige Schaffer, CEO of Global Identity and Cyber Protection services for Generali Global Assistance (GGA). So when you read about big data breaches, know that they can help make vishing a lot easier. It may seem strange that an attacker who already has your personal information is eager get more, but as Schaffer points out, “the more information a scammer has, the more damage they can do. Why be satisfied with the last four SSN digits when they can potentially get you to hand over the other five? A full SSN allows for them to open fraudulent credit cards, loans, and more.”

If this all sounds like a lot more work than wardialing someone and telling them you’re from the IRS, you’re right. But most people — especially high-value targets, who are often more educated and cybersavvy — will see right through those simpler scams. If the reward is great enough, it may be worth the time to build up a convincing identity to shake information loose from the victim. “A hacker might have patiently worked on acquiring information over time from the victim via phishing emails, or capturing it through malware,” says Schaffer. “When spear vishers go after bigger ‘fish’ (so to speak) like CEOs, we call that ‘whaling.'” And as voice simulation techniques improve, whalers have even more tools in their arsenal, with the capability of imitating specific people to try to trick their victims.

Vishing examples

So far, we’ve been kind of vague about the specific cons vishers will pull in order to get your money or personal information. HashedOut breaks these down into four broad categories:

Telemarketing fraud. These types of scams honestly predate the vishing era but have adopted many of their techniques. The visher will cold-call you without really any background knowledge on who you are and make an offer that’s too good to be true: you’ve won some lottery you never entered, you’ve been offered a free Marriott vacation, you can reduce the interest on your credit card, etc. Usually there’s an upfront cost to getting your “free” money, and of course the bait you were promised never arrives.

Government impersonations. A common scam involves insinuating that a problem is blocking benefits the victim should be receiving, such as Medicare or Social Security payments; offering to “fix” the issue opens to door to coaxing the victim into handing over personal information, like Social Security or bank account numbers. A more aggressive version of this comes from fake IRS “investigators,” who often claim the victims owe back taxes and threaten them with fines or jail. This video shows a police officer interacting with one of these scammers.

It’s not unusual for these types of scammers to demand to be paid by the victim buying Amazon gift cards and then reading them the numbers off the back, since the card purchases can’t be traced. This is a good tip-off that you’re are not dealing with a government agency!

Tech support fraud. We discussed this a bit above — scammers can take advantage of the technologically naive and their worries about being hacked, using popup ads or malware masquerading as a warning from the operating system to trick victims into calling the vishers. Kapersky warns of a variant on this scam that’s basically a type of ransomware: malware locks up a PC but provides a “tech support” number, where a kind “technician” — really part of the gang that installed the malware in the first place — will fix your computer, for a price, leaving you thinking that they’ve actually helped you.

Vishing attacks on bank accounts. Getting access to your bank information is, of course, the holy grail of a visher. And if an attacker already has access to some of your personal data from another source as we discussed earlier, they can easily emulate the sort of legitimate calls that one would expect to get from their financial institution, in a way that can fool even the most savvy amongst us. Panic Inc. founder Caleb Sasser told Krebs on Security a harrowing tale of a near-successful vishing attack. The attacker managed to successfully spoof their phone number to match Wells Fargo’s, Sasser’s bank, and claimed to be following up on some potentially fraudulent charges. Since the “bank” was offering to send a new ATM card, Sasser almost went so far as to enter a new PIN into his phone before pulling back at the last minute; had he done so, the vishers would’ve been able to clone his card and use it freely.

These types of scammers are most likely to go whaling, looking for very high value targets to help them get rich quick. One variant has become known as the “Friday afternoon scam,” in which the vishers call an investment firm or other wealthy target at the very end of the work week, counting on the person answering the phone being tired and distracted and letting their guard down.

How to prevent vishing 

If you’re looking to identify and avoid vishing, hopefully the material we’ve covered so far will help you know what to look for. The FTC has a good summary of key points everyone should know:

• Be suspicious of a call claiming to be from a government agency asking for money or information. Government agencies never call you out of the blue demanding — or offering — money. When in doubt, hang up, independently seek out the real number for the agency, and call them to find out if they’re trying to reach you.
• Never pay for anything with a gift card or a wire transfer. That’s a strong sign of a scam.
• Don’t trust caller ID. It’s very easy to fake.

Kapersky has another good rule of thumb: one thing that every vishing scam has in common is an attempt to create a false sense of urgency, making you think you’re in trouble or about to miss an opportunity and need to act right now. It never hurts to take a moment to pause, write down information about the caller without offering any of your own, and then call back after doing research.

If you want to take proactive steps to protect your organization, you might want to include vishing as part of a security awareness training. Several vendors offer simulated vishing platforms that can help you discover vulnerabilities in staff attitudes and demonstrate the nature of the threat to your employees.