Voice phishing: protect yourself from vishing

Voice phishing: definition and context

What is vishing?

The term "vishing" is a combination of the words "voice" and "phishing." Vishing is therefore the voice equivalent of phishing, which relies on electronic messages. This is why it is sometimes referred to as telephone phishing.

But what exactly is voice phishing? The goal remains the same: to steal personal data, financial information, or sensitive access to computer systems.

To achieve this, hackers rely on social engineering techniques. This method involves psychologically manipulating the victim by exploiting emotions such as fear, respect for authority, urgency, empathy, and trust.

In general, the success of vishing depends on the attacker's ability to inspire trust. To do this, the fraudster collects information about their target in order to make their story credible and avoid arousing suspicion.

Phishers often present themselves as professionals or representatives of administrative authorities, which reinforces the apparent legitimacy of their fraudulent activities.

In fact, the most common voice phishing attacks are fake technical support and fake bank advisor scams.

 

Why is voice phishing growing so rapidly?

Cybersecurity experts have noticed a sharp increase in voice phishing attacks over the past several years.

However, statistics on vishing are difficult to distinguish from other social engineering attacks and are often grouped together with phishing attacks. This is especially true since vishing attacks are often hybrid and use a phishing email as their entry point.

The COVID-19 pandemic has likely played a significant role in the development and proliferation of voice phishing. With the widespread adoption of remote working, many businesses and individuals have had to adapt quickly, often without putting adequate security measures in place.

Cybercriminals have exploited this transition, taking advantage of vulnerabilities related to employee isolation and the decentralization of security systems.

Changing communication habits and technological advances are also contributing to the growth of voice phishing. Fraudsters now have much easier access to sophisticated tools. These tools are becoming more powerful, easier to use, and less expensive.

In addition, the proliferation of personal information available online, often resulting from data leaks or exposure on social media, allows cybercriminals to personalize their attacks to appear more credible.

However, voice phishing attacks are becoming more prevalent because they are highly effective. They certainly require more effort on the part of the attackers, who must develop credible scenarios and gather information about their victims, but it is worth the effort.

In fact, the U.S. Federal Trade Commission has found that voice phishing attacks cause nearly three times more financial loss to victims than phishing attacks.

 

The typical sequence of a vishing attack

Vishing encompasses a wide range of methods and means. However, a typical attack unfolds in four stages.

1. Identifying the target: Scammers collect information about their targets via social media, online business or association directories, or data leaks.

2. Initial contact: The call may be automated or made by a hacker in person. In some cases, scammers first send a phishing email asking the victim to call a number.

3. Emotional manipulation: The caller often invokes an emergency (unpaid bills, security issues, software updates) or pretends to be a trusted entity (bank, government agency, IT service provider) in order to obtain the desired data.

4. Use of information: The data obtained is used for immediate or subsequent scams, financial transfers, or more complex attacks.

 

Who can fall victim to vishing?

Individuals, the traditional target of voice phishing

Individuals are prime targets for voice phishing. They are often unaware of the risks and, by definition, have direct access to their personal data, particularly banking information.

In fact, according to the 2023 annual activity report from Cybermalveillance.gouv.fr, fake technical support attacks account for nearly 10% of reports from individuals.

Scams involving fake bank advisors increased by 78% between 2022 and 2023, after being classified in 2022 as one of the "new forms of cybermalicious activity."

However, vishing is not limited to the private sphere, and the professional world is now just as much a target, even if few organizations are sufficiently aware of this.

 

The professional world: a new El Dorado for vishing

Professionals, particularly those in positions with access to financial or strategic data within organizations, are particularly vulnerable.

Government agencies, local authorities, and other public bodies are also attractive targets because of the critical information they hold and the funds they manage, sometimes with less stringent security procedures.

Attackers frequently pose as suppliers, requesting changes to payment details for invoices, or as executives or company managers in order to authorize fraudulent bank transfers under the guise of urgency.

IT services are also being impersonated, with fraudsters seeking to obtain passwords or sensitive access information to penetrate company systems and subsequently carry out targeted attacks.

 

AI and vishing: when your voice becomes a threat

 

How can you recognize a vishing attempt?

No one can claim to be immune to voice phishing. Attacks today are so precise and conducted with such professionalism that anyone can potentially become a victim.

To avoid falling into the trap, there are a few warning signs that should make you react during a call.

1. Hidden, external, or unknown number

The call often comes from a hidden number, an unknown number, a number outside the company, or a spoofed number that resembles that of a legitimate company. It is important to remain skeptical when answering the phone.

2. Feeling of urgency, pressure, fear, etc.

The fraudster uses social engineering techniques to get you to react quickly and prevent you from thinking (for example, they will claim there is a technical problem that needs to be resolved as soon as possible).

3. Request for sensitive or unusual information

The attacker asks for confidential information, such as your passwords, PIN codes, or credit card number, under the pretext of verification. Keep in mind that this information should never be disclosed (and therefore requested) over the phone.

4. Building trust with the other party

To gain your trust, the attacker may use personal information they have found on social media, company organizational charts, or as a result of data leaks. Keep your distance from the person you are talking to and do not consider this information as a guarantee of trust.

 

What should you do if you encounter a voice phishing attempt?

Do the warning signs you notice during a conversation lead you to believe that you are dealing with a vishing attempt? End the conversation immediately and notify your colleagues and security department of the attempt. If in doubt, continue the conversation with caution and keep these basic principles in mind:

1. Verify the identity of the person you are speaking with.

Find out who is calling you by asking questions. If it is someone who really knows you, they will be able to answer specific questions, unlike an impostor.

If in doubt, you can also offer to call the person back on a reliable and known number, preferably from another phone.

2. Stay calm and think

Fraudsters often rely on panic or haste. Take the time to think before responding or acting. Your instincts and emotions are your allies when it comes to vishing. If you feel that something is suspicious, take a step back to verify your impression.

3. Avoid sharing information spontaneously

If in doubt, speak as little as possible and let the other person reveal themselves. Never share your personal information, even if the other person seems to know a lot about you and even if they insist on the urgency of the action to be taken.

4. Refuse to perform any action that seems suspicious to you.

If in doubt, refuse to perform suspicious actions such as clicking on a link, entering your username or password, changing a setting on your computer, etc. Again, take a step back and think before you act.

 

Conclusion: how can you protect yourself from voice phishing?

As we have seen, vishing is a relatively simple type of attack to carry out, but it is very effective and is growing at an alarming rate.

As with any social engineering attack, the best defense is to be aware of the dangers of vishing. Taking a step back, being skeptical, and exercising caution can help you thwart a voice phishing attempt.

Keep in mind that the success of this attack relies heavily on the information gathered by the attacker, which will enable them to legitimize their approach and gain your trust.

Therefore, avoid publishing your personal or professional information on social media and the Internet (newsletters, loyalty accounts, etc.) as much as possible, and limit the information you share to what is strictly necessary (for example, subscribing to a newsletter should not require you to provide your phone number or postal address).

By following this advice, you dry up the source of information that a malicious individual could potentially collect about you and effectively reduce your exposure to social engineering techniques.

Finally, the best way to determine your organization's level of risk when it comes to vishing is to conduct a simulation to test your employees' reflexes in real-life conditions. You will then be able to adjust your procedures based on the recommendations provided at the end of the vishing simulation.

Find out if your organization is ready to deal with a vishing attack with Beforebyclicking.