Insights | July 19, 2022

Vishing Attacks Explained

This post was initially published by IRONSCALES.

Vishing is a social engineering attack delivered through phone calls or voicemails that attempts to fool people into revealing sensitive information. The caller usually masquerades as someone from a trusted company or government department. Attempts to elicit the desired information from victims depend on leveraging their implicit trust in authoritative organizations and/or creating a sense of urgency.

Threat actors conducting vishing scams use various methods to access victims’ legitimate phone numbers. One method is to purchase or access phone numbers on the dark web that were exfiltrated from company networks in previous data breach incidents. The added benefit to threat actors of obtaining previously stolen phone numbers is that they often come with useful additional personal information about the victim, such as their name, date of birth, and address.

Sophisticated schemes may combine multiple social engineering methods. For example, a threat actor sends a phishing email or social media message requesting the target’s phone number using any kind of convincing pretext. Armed with this number, a name, and an expectation to receive a call, there is already strong credibility in the target’s mind.

One rather old-school and somewhat crude way to get phone numbers is a technique known as dumpster diving. Cybercriminals show up at a company’s office and sift through paper waste bins outside the premises for documents that display phone numbers. This method preys on organizations with lax document shredding processes in place.

An even cruder way to access phone numbers for potential vishing attacks is by mass-dialing hundreds or thousands of numbers and noting which ones answer or ring out. All these numbers likely belong to real people, but it’s more challenging to set up a convincing pretext for duping people without knowing any further information about them beyond a phone number.

Vishing Attack Techniques

After getting a list of legitimate phone numbers belonging to potential victims, the perpetrators of vishing attacks then move on to use one of several techniques for their vishing campaigns.

Robocalls—robocalls use software to deliver pre-recorded, automated messages over the phone. These scam phone calls are so common that Americans received 50 billion of them in 2021 alone. For vishing scams where the attackers obtain phone numbers without any additional info on the target, robocalls offer a low-hanging fruit technique to con unaware people into taking desired actions.
Spoofed Caller ID—using spoofed caller ID software enhances the credibility of a vishing scam by faking legitimate phone numbers. The victim may well see a name or number on an incoming call that looks familiar, causing them to cast aside potential doubts about calls from unknown numbers.
VoIP—To create fake phone numbers, VoIP offers an easy outlet. There is usually a degree of refinement to VoIP vishing scams; threat actors will either create a number that seems to come from the target’s locality or one that appears to come from an authoritative source.

Types of Vishing Scams

Here are some of the common types of scams recipients get fooled by in vishing attacks:

Government Messages

Scammers may impersonate government agencies or officials in the hopes of getting people to reveal useful information. One common type of phone call is to get notified about overdue income, investment, or customs tax owed to the government. Hackers then convince victims to provide bank card details over the phone to settle the tax bill immediately and avoid further fines or punitive measures. Another government-based scam is to request a victim’s social security number for verification purposes and then use this number to benefit in other ways.

Unusual Bank Account Activity

A targeted type of vishing scam often encountered is to alert individuals about unusual bank account or card activity. This type of scam might only use a phone call, but it could be preceded by a text message telling the target to dial a specific number to verify their details. Victims might reveal their card information or login details for online banking services.

Tech Support

The tech support scam is a popular one in vishing campaigns because of its versatility. These calls can target employees by masquerading as IT helpdesks or they can target consumers by impersonating software vendors or service providers. Login credentials are usually the target of these calls.

False Prize Wins

Continuing a trend seen since the earliest days of social engineering, many vishing scams purport to offer some kind of golden opportunity, such as a prize won in a competition. While these scams aren’t particularly effective when delivered by email, it’s slightly more convincing when a phone call informs you that a family member entered your phone number into a competition to win a cash prize. To collect the prize, victims then reveal their bank card info or other sensitive details.

Real-World Vishing Examples

Morgan Stanley Wealth Management

In February 2022, several customers at retail brokerage company Morgan Stanley Wealth Management became victims of a vishing scam. This attack used voice calls purporting to come from Morgan Stanley. Several clients fell for it and ended up disclosing login credentials to their accounts, where threat actors logged in to make unauthorized money transfers using Zelle.

Remote Work VPN Compromises

In 2020, a joint cybersecurity advisory published by the FBI and CISA warned about ongoing vishing scams targeting employee VPN accounts. These campaigns exploited the uncertainty and rapid shift to remote working enforced by the rapidly spreading global COVID-19 outbreak. With a huge increase in people working remotely, threat actors began using VoIP to call targeted employees and advised them about a new VPN link to log in to the corporate network. Calls directed victims to fake phishing links where their credentials were stolen and used to access the company network.

UK Energy Firm Supplier Scam

In 2019, an unnamed energy company fell victim to an interesting and novel type of vishing attack that incorporated the use of AI to spoof a high-ranking executive’s voice during a phone call. This was a type of CEO fraud that used AI voice mimicking to dupe the victim into transferring a large sum of money to a Hungarian supplier. The victim thought that the person on the phone sounded exactly like his CEO. With AI capabilities only improving over time, this area of deep fake social engineering is worth keeping an eye on.

Mitigating Vishing Attacks

Incorporate vishing simulations and modules into employee security training and awareness programs.
Since vishing attacks often combine other use other social engineering methods like phishing emails in the attack chain, have dedicated email security in place that identifies suspicious links or malware with high levels of accuracy.
Consider strengthening your company’s VPN policy to only enable logins from registered and managed devices.
From an individual perspective, try to be suspicious of unsolicited phone calls and don’t disclose any information unless certain of the caller’s identity even if this means hanging up the phone to double-check and then re-dialing.

Insights

Insights | November 1, 2023

The Art of B2B Selling

Insights | September 18, 2023

Curves, Caps and Swaps: Strategies to thrive in a rising interest rate market

Insights | August 15, 2023

K1 Portfolio Companies Named to the 2023 Inc. 5000

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
ARRAffinity	session	ARRAffinity cookie is set by Azure app service, and allows the service to choose the right instance established by a user to deliver subsequent requests made by that user.
ARRAffinitySameSite	session	This cookie is set by Windows Azure cloud, and is used for load balancing to make sure the visitor page requests are routed to the same server in any browsing session.
Cookie Law Info - Analytics	11 months	The cookie is used to store the user consent for the cookies in the category "Analytics".
Cookie Law Info - Check Advertisement	session	This cookie is used to record the user consent for the cookies in the "Advertisement" category .
Cookie Law Info - Necessary	11 months	The cookie is used to store the user consent for the cookies in the category "Necessary".
Cookie Law Info Consent	session	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
Viewed Cookie Policy	11 months	The cookie is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Cookie	Duration	Description
Google Analytics Tracking	1 year	This cookie is set by Google Analytics.