Vishing or voice phishing is a type of cyberattack in which attackers use phone calls and clever social engineering techniques to collect confidential information from their targets.
Vishers very convincingly threaten and talk to the victim. They usually pose as law enforcement officers or bank employees, informing the target that her account has been hacked. After that, the victim is asked to install malware disguised as a legitimate application or packaged in a regular ZIP archive.
However, voice phishing is not limited to calls. Most often, a vishing attack begins with an SMS message, which is why some users consider vishing and smishing (phishing using SMS messages) to be the same. However, despite similar goals and methods, vishing and smishing are very different from each other. Let’s take a quick look at their differences and learn more about voice phishing attacks.
How is vishing different from phishing?
In smishing attacks, scammers send SMS messages to victims, trying to convince them to follow a malicious link or respond to a message with personal information. The whole process of deceiving the target consists solely of text messaging.
And in order to carry out a vishing attack, the attacker must establish voice contact with the victim. In this case, the message is only used to force the victim to dial the number specified in the message. This will allow the scammers to continue the attack or make sure that the number belongs to the target.
4 stages of a vishing attack
Intelligence service. The fraudsters’ attack begins with collecting information about the victim. Attackers can send phishing emails to potential victims, hoping that they will be answered and provided with contact information.
Call. If the victim has already been deceived by a phishing email, she will most likely not be wary of the person who calls her on the phone, posing as the sender of the letter.
Conversation. As soon as a fraudster manages to contact someone by phone, he will begin to put pressure on trust, fear, greed or the need for help from his target. If this strategy works, and the victim succumbs to the pressure of the attacker, then he can ask her:
Provide bank account information and credit card details;
Provide an email address;
Send confidential work-related documentation;
Provide information about your company.
Profit! However, the attack does not end there. Having received all the necessary information, the attackers can continue the attack. For example, to empty the victim’s bank account, use her personal data for their own purposes, or make purchases using stolen credit card data. In addition, scammers may try to deceive the target’s colleagues by sending letters on her behalf and trying to obtain confidential corporate data.
The most popular vishing schemes
A warning that something is wrong with the victim’s bank account or payment. To solve the “problem that has arisen”, the attackers ask the target to provide their username and password or make a new payment.
Unsolicited loan or investment offers. Scammers offer victims conditions that are too good to be true. In this case, the attackers put pressure on greed, trying to convince the victim that she can earn a fortune or pay off all her debts by making one small investment, offering to make a payment right during the call.
Calls on behalf of the Social Security Administration. Usually, scammers threaten to suspend or cancel a client’s social security number. Depending on how successful the attack was, attackers can steal the victim’s data and money.
A warning that users have unpaid tax bills or other fines and demand to call back immediately. IRS tax scam.
A call with a message that the recipient has won a valuable prize. However, before receiving the prize, the victim allegedly needs to make an advance payment.
How not to get hooked by scammers?
Do not talk to unknown callers, especially if they ask you to confirm or provide confidential data.
Pay close attention to who is talking on the phone. Listen to his speech and think twice before you say something. Again, do not disclose any personal information.
Ask questions. If a caller offers you a free prize or is trying to sell something, ask them to confirm who they are and where they work. Before providing your details, check any information provided by the caller. Hang up if they refuse to tell you this data.
Add your phone number to the national Do Not Call registry.
Never reply to emails or social media messages if they ask for your phone number.
What should I do if you were deceived?
If you have provided your bank details to a fraudster, then the first thing to do is to contact your bank. Call the company servicing your credit card and request the cancellation of suspicious transactions.