In today’s age of 24/7 connectivity (and threats), it’s tempting to think that “old-fashioned” ways of communicating like phone calls are safer. Unfortunately, that isn’t the case. In increasing numbers, attackers are exploiting phone calls as well in so-called vishing attacks against users. In fact, I’ve been on the receiving end of a vishing call myself: someone pretending to be a bank agent called me, said my accounts could be frozen due to malicious activity, and gave me a number to call. I didn’t fall for it, but less wary users could.
What is vishing?
Vishing is the telephone version of phishing and this term is a combination of “voice” and phishing. The victim can be called directly by an attacker, or can receive an invitation (by e-mail or voicemail) to call a false customer support telephone number to fix a problem. Once victims are on the phone, an automated service may ask them to enter their account numbers, personal identification numbers (PINs), or passwords using the telephone keypad or the attacker can ask the victims to confirm some personal information.
From the point of view of attackers, vishing is essentially a three-step process. The first step is to “select” their targets. Attackers create scripts that automatically dial multiple people and, like any mass phishing attack, cast a wide net that ultimately catches a few unsuspecting customers of the bank they have spoofed. The attackers can download software that allows them to show whatever phone number they want to (and thus, pretend to be from the spoofed bank).
The second step involves the attackers asking for personal identification numbers of the targets “selected”. Attackers ask victims to provide their credit card numbers and other pertinent account information. The last step revolves around the attackers’ use of obtained information to steal money from the victim.
Why do cybercriminals use vishing over other more technologically-sophisticated schemes?
Vishing exploits the weakest link in the security chain: the user. It’s very easy for the attacker to sound reputable and trustworthy, leading users to believe them and hand over valuable information.
There are other advantages for the attacker as well. These attacks are carried out using Voice over IP (VoIP) providers, making features like Caller ID spoofing, automated attendants, and anonymity much more readily available. In addition, it makes it very hard for legal authorities to monitor or trace these illegal activities.
I’ve become a vishing victim. Help!
If you are a victim of vishing, write down what happened and how you first noticed the fraud. Keep all paperwork that you think may be helpful in the investigation. Then, follow the steps below:
- Contact your local police and file a police report.
- Contact the financial institutions, credit card companies, phone companies, and any accounts you suspect may have been opened or tampered with.
Take down written notes while you follow the above steps, to ensure there’s no dispute about what was said or heard.
The number one tip to avoid being a phishing/vishing victim is to remember this: a legitimate company would never ask you to provide your PIN or password over the phone or online. If you receive such a call, hang up and inform your bank right away.