Vishing is a social engineering attack delivered through phone calls or voicemails that attempts to fool people into revealing sensitive information. The caller usually masquerades as someone from a trusted company or government department. Attempts to elicit the desired information from victims depend on leveraging their implicit trust in authoritative organizations and/or creating a sense of urgency.
Threat actors conducting vishing scams use various methods to access victims’ legitimate phone numbers. One method is to purchase or access phone numbers on the dark web that were exfiltrated from company networks in previous data breach incidents. The added benefit to threat actors of obtaining previously stolen phone numbers is that they often come with useful additional personal information about the victim, such as their name, date of birth, and address.
Sophisticated schemes may combine multiple social engineering methods. For example, a threat actor sends a phishing email or social media message requesting the target’s phone number using any kind of convincing pretext. Armed with this number, a name, and an expectation to receive a call, there is already strong credibility in the target’s mind.
One rather old-school and somewhat crude way to get phone numbers is a technique known as dumpster diving. Cybercriminals show up at a company’s office and sift through paper waste bins outside the premises for documents that display phone numbers. This method preys on organizations with lax document shredding processes in place.
An even cruder way to access phone numbers for potential vishing attacks is by mass-dialing hundreds or thousands of numbers and noting which ones answer or ring out. All these numbers likely belong to real people, but it’s more challenging to set up a convincing pretext for duping people without knowing any further information about them beyond a phone number.
Vishing Attack Techniques
After getting a list of legitimate phone numbers belonging to potential victims, the perpetrators of vishing attacks then move on to use one of several techniques for their vishing campaigns.
- Robocalls—robocalls use software to deliver pre-recorded, automated messages over the phone. These scam phone calls are so common that Americans received 50 billion of them in 2021 alone. For vishing scams where the attackers obtain phone numbers without any additional info on the target, robocalls offer a low-hanging fruit technique to con unaware people into taking desired actions.
- Spoofed Caller ID—using spoofed caller ID software enhances the credibility of a vishing scam by faking legitimate phone numbers. The victim may well see a name or number on an incoming call that looks familiar, causing them to cast aside potential doubts about calls from unknown numbers.
- VoIP—To create fake phone numbers, VoIP offers an easy outlet. There is usually a degree of refinement to VoIP vishing scams; threat actors will either create a number that seems to come from the target’s locality or one that appears to come from an authoritative source.
Types of Vishing Scams
Here are some of the common types of scams recipients get fooled by in vishing attacks:
Scammers may impersonate government agencies or officials in the hopes of getting people to reveal useful information. One common type of phone call is to get notified about overdue income, investment, or customs tax owed to the government. Hackers then convince victims to provide bank card details over the phone to settle the tax bill immediately and avoid further fines or punitive measures. Another government-based scam is to request a victim’s social security number for verification purposes and then use this number to benefit in other ways.
Unusual Bank Account Activity
A targeted type of vishing scam often encountered is to alert individuals about unusual bank account or card activity. This type of scam might only use a phone call, but it could be preceded by a text message telling the target to dial a specific number to verify their details. Victims might reveal their card information or login details for online banking services.
The tech support scam is a popular one in vishing campaigns because of its versatility. These calls can target employees by masquerading as IT helpdesks or they can target consumers by impersonating software vendors or service providers. Login credentials are usually the target of these calls.
False Prize Wins
Continuing a trend seen since the earliest days of social engineering, many vishing scams purport to offer some kind of golden opportunity, such as a prize won in a competition. While these scams aren’t particularly effective when delivered by email, it’s slightly more convincing when a phone call informs you that a family member entered your phone number into a competition to win a cash prize. To collect the prize, victims then reveal their bank card info or other sensitive details.
Real-World Vishing Examples
Morgan Stanley Wealth Management
In February 2022, several customers at retail brokerage company Morgan Stanley Wealth Management became victims of a vishing scam. This attack used voice calls purporting to come from Morgan Stanley. Several clients fell for it and ended up disclosing login credentials to their accounts, where threat actors logged in to make unauthorized money transfers using Zelle.
Remote Work VPN Compromises
In 2020, a joint cybersecurity advisory published by the FBI and CISA warned about ongoing vishing scams targeting employee VPN accounts. These campaigns exploited the uncertainty and rapid shift to remote working enforced by the rapidly spreading global COVID-19 outbreak. With a huge increase in people working remotely, threat actors began using VoIP to call targeted employees and advised them about a new VPN link to log in to the corporate network. Calls directed victims to fake phishing links where their credentials were stolen and used to access the company network.
UK Energy Firm Supplier Scam
In 2019, an unnamed energy company fell victim to an interesting and novel type of vishing attack that incorporated the use of AI to spoof a high-ranking executive’s voice during a phone call. This was a type of CEO fraud that used AI voice mimicking to dupe the victim into transferring a large sum of money to a Hungarian supplier. The victim thought that the person on the phone sounded exactly like his CEO. With AI capabilities only improving over time, this area of deep fake social engineering is worth keeping an eye on.
Mitigating Vishing Attacks
- Incorporate vishing simulations and modules into employee security training and awareness programs.
- Since vishing attacks often combine other use other social engineering methods like phishing emails in the attack chain, have dedicated email security in place that identifies suspicious links or malware with high levels of accuracy.
- Consider strengthening your company’s VPN policy to only enable logins from registered and managed devices.
- From an individual perspective, try to be suspicious of unsolicited phone calls and don’t disclose any information unless certain of the caller’s identity even if this means hanging up the phone to double-check and then re-dialing.