Vishing, short for voice phishing, refers to fraudulent phone calls or voice messages designed to trick victims into providing sensitive information, like login credentials, credit card numbers, or bank details. These details can then be exploited for criminal activities such as fraud, identity theft, or financial theft. Phishing attacks are common and costly: In 2022, phishing was the second most-common cause of data breaches, costing organizations an average of US$4.91 million in breach expenses.
In vishing scams, attackers pretend to be from reputable organizations (such as the victim's bank, the IRS, or a package delivery service) and make unexpected phone calls. They might use toll-free numbers or use voice over internet protocol (VoIP) technology to appear as trusted organizations.
However, these attacks aren't limited to phone calls. Many vishing attacks start with a phishing email, urging the recipient to dial a number. Once in a call, scammers use social engineering tactics to convince the target to share their personal details.
Often, vishing scams target the elderly, new employees, and employees who regularly receive external calls as part of their job. Defending against vishing attacks requires vigilance, informed precautionary measures, and robust email security solutions. This page explores the preventative techniques and tools that can safeguard your sensitive information against vishing attacks.
The main purpose of vishing is to illegally acquire private, sensitive information from individuals or businesses. The types of valuable information scammers want can include:
Attackers opt for voice communication due to two unique advantages in manipulating victims: urgency and trust. Voice calls allow scammers to catch individuals off guard, leading them to make impulsive decisions. Through voice calls, scammers can also establish a personal connection to the target, dynamically respond to the victim's behavior, and exploit emotional cues, something not easily achievable through standard phishing emails.
Vishing is increasingly attractive to scammers as advancing technologies make deception easier and more effective. Free or inexpensive tools like VoIP and caller ID spoofing impersonate trusted numbers and obscure attackers' identity and origins. Scammers are also beginning to use sophisticated software to clone an individual's voice, making fraudulent communications even more convincing. As deepfake technology becomes more accessible, the distinction between real and synthetic voices is blurring, significantly increasing the danger of vishing attacks.
Vishing, phishing, and smishing employ different types of communication, but their objectives are the same: taking control of accounts, committing fraud, or stealing funds from unsuspecting individuals or businesses.
Here is the difference between these three phishing methods:
Not all vishing attacks start with a phone call. Many attackers start their scam with a well-crafted email, posing as an authoritative or trusted entity. They persuade the recipient to follow up to their demands through a phone call. When a vishing attack begins with a phishing email, how does it get through email security filters? There are three possible reasons for this:
Phone numbers, unlike URLs, aren't routinely tracked and shared as indicators of compromise (IOC) in the cybersecurity community. This lack of structure around phone numbers increases the likelihood of vishing campaigns evading conventional email security checks.
Advances in technology have evolved common vishing scams into incredibly convincing attacks. Capitalizing on human trust and urgency, these scams mimic real businesses and scenarios, resulting in serious consequences for organizations.
Here are a few examples of common vishing attacks:
IRS vishing scams often feature a prerecorded voice message alerting you to a problem with your tax return, urging you to contact the IRS directly through a provided number. These messages are usually spoken in a threatening tone, warning that failure to respond could lead to a warrant for your arrest.
Impersonating the IRS is a common tactic among cybercriminals, both in email and voice scams. The IRS's name creates immediate trust and a sense of panic, compelling victims to act swiftly without questioning the legitimacy of the request.
In tech-support vishing scams, fraudsters act as representatives from tech companies like Apple, Microsoft, and Google, alerting you to suspicious activity on your online account. They often request your email to send vital software updates, which turn out to be malware-infected downloads.
Tech-support scams exploit the victim's potential lack of technical knowledge. These scammers employ scare tactics, suggesting severe security threats or technical problems to instill fear and a sense of urgency. They might offer immediate solutions that grant them remote access to the victim's computer. If granted access, attackers can steal personal or corporate data, install malicious software, or cause systemwide damage.
Bank-impersonation scams involve scammers impersonating credit card companies, banks, and other financial institutions to gain unauthorized access to your accounts. Claiming there is unusual or suspicious activity, they ask you to verify your account details and login credentials under the guise of resolving the issue.
If you call your financial institution directly, you may be asked to verify your identity with confidential information. However, legitimate financial institutions will never call you to ask for your passwords or security codes.
Older adults are often targets for cybercriminals as they may be less familiar with modern phishing scam tactics. In these scams, criminals pose as Social Security or Medicare officials to extract sensitive account details, allegedly to issue a new Social Security number or discuss benefits. The older adult demographic tends to favor phone communication over email or text messages, exposing themselves more to vishing schemes than to phishing or smishing attacks.
Inform friends or family members whom you think are susceptible to these types of scams that the IRS, Social Security Administration, or Medicare will never call them demanding personal information or issuing threats. Legitimate federal agencies do not contact citizens by phone, email, text, or social media to request personal or financial information.
The prevalence of online shopping has made it challenging for many individuals and businesses to keep track of their purchases, and cybercriminals are capitalizing on this oversight. Scammers, masquerading as Amazon or UPS representatives, notify customers about alleged shipping issues and provide a contact number for queries about these fictitious orders.
When unsuspecting customers dial in, they are greeted by scammers posing as customer service, ready to pry personal details from the callers. As events like Amazon Prime Day surge in popularity and online shopping becomes even more routine, consumers need to be aware of these delivery scams.
Extreme caution is crucial when approached with any investment opportunity offering high returns with little risk, or loans that claim to pay off debt unusually quickly. If the offer sounds too good to be true, it usually is.
Here are some essential tips to protect yourself from these loan and investment scams:
Voice-cloning technology uses artificial intelligence to craft alarmingly realistic fake audio or video clips. Cybercriminals are now using these AI tools to fabricate voice recordings that mimic those of a target's family member or trusted figure. For instance, a CEO's voice can be replicated to request a significant financial transfer. A lower-ranking employee might believe the call is genuine due to the accurate voice imitation and comply due to a sense of urgency and respect for the authoritative request.
As voice-cloning tools become more sophisticated and available, the risk of such scams grows, underscoring the need for strong security protocols and heightened vigilance—even when the caller sounds familiar.
Recognizing the signs of a vishing attempt can be the key to safeguarding your identity and finances. Here are tips on how to spot a vishing scam:
If you've fallen victim to a vishing attack, taking immediate steps can help mitigate potential harm and prevent further exploitation of your information. Here is what you can do:
Vishing and other cybercrimes will continue to exploit the public for as long as scammers can successfully deceive individuals. However, taking the time to identify and counter vishing attempts can help diminish their effectiveness. Keep reading to learn how you can prevent vishing attacks.
To mitigate vishing attacks and reduce their potential impact on your organization, consider these best practices:
MFA is a security tool that protects applications by requiring two or more verification factors to access an account, rather than just a single password. Even if a cybercriminal steals a password in a vishing scam, MFA makes it significantly harder for them to bypass the additional authentication barriers.
Vishing attackers often use email to initiate their schemes. To defend against vishing, phishing, and business email compromise (BEC) attempts, it is crucial to evolve your email security beyond native security filters.
A comprehensive email threat defense solution can significantly lower the risk of vishing scams infiltrating your organization. Consider a solution like Cisco Secure Email Threat Defense that can identify and swiftly remediate phishing attempts before they can cause potentially catastrophic consequences for your organization.
Reduce your risk of vishing attacks by registering with a national Do Not Call list. These lists, often maintained by governmental agencies, can significantly reduce the number of unsolicited calls you receive from legitimate companies. While it won't stop scammers, it can make spotting suspicious calls easier.
Train employees in the following best practices when handling phone calls:
Train employees to be vigilant of these social engineering strategies that may indicate a vishing attempt:
If a caller employs these tactics, politely but firmly end the call. Remember, legitimate companies and authorities do not conduct business this way.
Review the following elements carefully if you received a potential vishing email or text message:
Always exercise caution when a caller requests personal or corporate details such as account numbers, PINs, passwords, or any other confidential data. If you feel uneasy or sense something amiss, trust your instincts; terminate the call, and consult directly with the institution in question through verified communication channels.
Always prioritize data security by requesting the caller to validate their identity. Legitimate representatives from reputable organizations will willingly provide details about their position, purpose of the call, and the institution they represent. For added assurance, note down their name and then reconnect using a phone number sourced directly from the organization's official website or your own records, bypassing any number they might suggest. This step is vital to ensuring you're interacting with a legitimate representative and not falling prey to vishing schemes.
Allocating time and resources to regularly educate your employees on current vishing defense strategies is crucial. These training programs should educate on the latest trends in cyberthreats, defensive strategies, and how to respond effectively if targeted, ensuring that your team is an active defender of your organization's sensitive data and finances.