Vishing: How to identify voice phishing and fend off attackers

The term “vishing” is composed of the words “voice” and “phishing”, which is why this modern scamming method is also fre­quently called voice phishing. Attackers exploit IP tech­no­logy when vishing in order to carry out a number of in­ex­pens­ive or free scam calls, and in doing so steal data, passwords, or bank in­form­a­tion from un­sus­pect­ing victims.

Read on to find out all about “visher” strategies and how you can protect yourself against fraud­u­lent VoIP calls.

With a com­bin­a­tion of technical and emotional ma­nip­u­la­tion, vishers try to get their hands on their victim’s important data. In technical terms, vishing means that a scammer ma­nip­u­lates VoIP tech­no­logy (Voice over IP) to disguise their own identity and telephone number. The scammer is, therefore, hiding the fact that they are calling from a telephone number that does not belong to them or is not as­so­ci­ated with their IP address. Voice phishing is at­tract­ive for per­pet­rat­ors, as the costs for VoIP calls are very low. A visher can, therefore, make many thousands of calls using an active internet con­nec­tion, and, if suc­cess­ful, gather a large volume of data.

In addition to voice phishing’s technical com­pon­ents, there is also an emotional component. Attackers invent a story that is plausible for the victim and make it appear necessary to act im­me­di­ately and share sensitive data. These attacks also include social en­gin­eer­ing – in other words, cal­cu­lated, in­ter­per­son­al influence that is used to gain access to con­fid­en­tial in­form­a­tion. Vishers de­lib­er­ately exploit typical patterns of human behavior through psy­cho­lo­gic­al tricks in order to get the victim to disclose sensitive in­form­a­tion. Although many different and per­fi­di­ous vishing scams exist, there is a model that is common to all voice phishing attacks:

1. The attacker phones and describes a problem that consumers have not pre­vi­ously heard about.
2. In order to remedy the problem, the visher demands personal data such as login cre­den­tials for an account, account data, or credit card data.
3. The attacker invokes the urgency of the situation and wants to prompt immediate and quick action.

In practice, scammers re­peatedly use the same stories in order to get to their victim’s data. Below you will find an overview of the most common scams in order to be able to in­stinct­ively dis­tin­guish fraud­u­lent calls from le­git­im­ate calls.

A popular starting point for scammers when voice phishing is to im­per­son­ate a support rep­res­ent­at­ive at a large software company. In this scenario, the attacker pretends that they have detected a software problem and have to help you sort it out. For this purpose, they will ask you to download a program that gives the visher full remote access to your computer. Once the devious program is installed, the attacker can plant malware on your computer and steal personal data.

Another example of vishing is when the caller informs you that you have won a prize in a contest. In order to receive the prize, however, you first have to pay for the shipping costs. To do this, you need to send your bank details, along with consent for the elec­tron­ic direct debit. The scammers then either regularly debit money under the pretext that you agreed to a sub­scrip­tion, or they sell the data on to another scammer.

Voice phishing very often targets your bank or credit card account, which is why many criminals im­per­son­ate bank employees. In this scenario, the data theft mostly proceeds without any direct personal contact. The visher leaves a message on your answering machine that informs you that your bank account is in danger due to a hacking or technical error.

When you call back, you will hear a recorded message that requests the access data to your online banking or credit card. The attacker hopes that you will listen to the message and start to panic. Ul­ti­mately, there is nothing more sensitive than your financial data.

In order to identify and suc­cess­fully fend off vishing, vigilance and a healthy mistrust toward authority are required. Generally, you should keep the following clues in mind when on the phone with a supposed company employee:

Tip 1: Always try to think about whether the attacker’s number is an official number for the company that the alleged attacker rep­res­ents. And even if you find the number on the company website, this is no guarantee that the call is le­git­im­ate. Sim­u­lat­ing a telephone number is an important component of vishing. Checking the number can only provide a first in­dic­a­tion of a crime and fend off crude attacks that are very poorly prepared.

Tip 2: If you have any doubts, you should end the con­ver­sa­tion and get in touch with the company’s customer service de­part­ment yourself. Ask if the number is known to them and if the procedure is standard. In doing so, use only the telephone number that is specified on the company’s own website. Do not call any numbers that you found in an email from the company (allegedly). These types of emails can be part of a (voice) phishing attack.

Tip 3: Never divulge any log-in cre­den­tials or bank details over the phone. No trust­worthy company will ever ask for your account log-in cre­den­tials over the phone. If a caller asks you to state your account info or personal data, refuse im­me­di­ately and report the in­ter­ac­tion to the company concerned.

Tip 4: If you suspect that you have been a victim of voice phishing, report the incident to the police and file a complaint. Fur­ther­more, you should report the incident to the company that the scammer claimed to work for. If you think your bank details could be com­prom­ised, talk to your bank and have the account tem­por­ar­ily blocked. Log-in data for accounts can often be blocked online on the website. If you use the same password for different accounts (which is not re­com­men­ded in any situation), it is im­per­at­ive that you change the password every­where.

With the vishing defin­i­tion for­mu­lated at the start, vishing can be dif­fer­en­ti­ated from other methods of digital data theft.

While with voice phishing, the gateway for criminals is IP telephony, they use emails for phishing in order to bait un­sus­pect­ing users into vo­lun­teer­ing their personal data. To do this, the devious elec­tron­ic messages are edited to look as authentic as possible and include a link to a harmful website. A special form of phishing is spear phishing, where scammers zero in on one or several very specific victims. Spear phishers do not cast a large net of fraud, but attack victims with focus and purpose.

Smishing basically works in a very similar way but uses SMS for data theft.

Vishing, phishing, and smishing differ from each other in the way that the con artist makes contact and com­mu­nic­ates with the victims. In all versions, the objective remains the same: to steal personal data such as bank details, credit card numbers, or log-in data in order to enrich them­selves fin­an­cially.