Vishing is a social engineering attack delivered through phone calls or voicemails that attempts to fool people into revealing sensitive information. The caller usually masquerades as someone from a trusted company or government department. Attempts to elicit the desired information from victims depend on leveraging their implicit trust in authoritative organizations and/or creating a sense of urgency.
Threat actors conducting vishing scams use various methods to access victims’ legitimate phone numbers. One method is to purchase or access phone numbers on the dark web that were exfiltrated from company networks in previous data breach incidents. The added benefit to threat actors of obtaining previously stolen phone numbers is that they often come with useful additional personal information about the victim, such as their name, date of birth, and address.
Sophisticated schemes may combine multiple social engineering methods. For example, a threat actor sends a phishing email or social media message requesting the target’s phone number using any kind of convincing pretext. Armed with this number, a name, and an expectation to receive a call, there is already strong credibility in the target’s mind.
One rather old-school and somewhat crude way to get phone numbers is a technique known as dumpster diving. Cybercriminals show up at a company’s office and sift through paper waste bins outside the premises for documents that display phone numbers. This method preys on organizations with lax document shredding processes in place.
An even cruder way to access phone numbers for potential vishing attacks is by mass-dialing hundreds or thousands of numbers and noting which ones answer or ring out. All these numbers likely belong to real people, but it’s more challenging to set up a convincing pretext for duping people without knowing any further information about them beyond a phone number.
After getting a list of legitimate phone numbers belonging to potential victims, the perpetrators of vishing attacks then move on to use one of several techniques for their vishing campaigns.
Here are some of the common types of scams recipients get fooled by in vishing attacks:
Scammers may impersonate government agencies or officials in the hopes of getting people to reveal useful information. One common type of phone call is to get notified about overdue income, investment, or customs tax owed to the government. Hackers then convince victims to provide bank card details over the phone to settle the tax bill immediately and avoid further fines or punitive measures. Another government-based scam is to request a victim’s social security number for verification purposes and then use this number to benefit in other ways.
A targeted type of vishing scam often encountered is to alert individuals about unusual bank account or card activity. This type of scam might only use a phone call, but it could be preceded by a text message telling the target to dial a specific number to verify their details. Victims might reveal their card information or login details for online banking services.
The tech support scam is a popular one in vishing campaigns because of its versatility. These calls can target employees by masquerading as IT helpdesks or they can target consumers by impersonating software vendors or service providers. Login credentials are usually the target of these calls.
Continuing a trend seen since the earliest days of social engineering, many vishing scams purport to offer some kind of golden opportunity, such as a prize won in a competition. While these scams aren’t particularly effective when delivered by email, it’s slightly more convincing when a phone call informs you that a family member entered your phone number into a competition to win a cash prize. To collect the prize, victims then reveal their bank card info or other sensitive details.
In February 2022, several customers at retail brokerage company Morgan Stanley Wealth Management became victims of a vishing scam. This attack used voice calls purporting to come from Morgan Stanley. Several clients fell for it and ended up disclosing login credentials to their accounts, where threat actors logged in to make unauthorized money transfers using Zelle.
In 2020, a joint cybersecurity advisory published by the FBI and CISA warned about ongoing vishing scams targeting employee VPN accounts. These campaigns exploited the uncertainty and rapid shift to remote working enforced by the rapidly spreading global COVID-19 outbreak. With a huge increase in people working remotely, threat actors began using VoIP to call targeted employees and advised them about a new VPN link to log in to the corporate network. Calls directed victims to fake phishing links where their credentials were stolen and used to access the company network.
In 2019, an unnamed energy company fell victim to an interesting and novel type of vishing attack that incorporated the use of AI to spoof a high-ranking executive’s voice during a phone call. This was a type of CEO fraud that used AI voice mimicking to dupe the victim into transferring a large sum of money to a Hungarian supplier. The victim thought that the person on the phone sounded exactly like his CEO. With AI capabilities only improving over time, this area of deep fake social engineering is worth keeping an eye on.
To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today at ironscales.com/get-a-demo.