Thales Blog

Vishing: The Best Protection Is Knowing How Scammers Operate

October 26, 2023

Jason Keenaghan Jason Keenaghan | Director of Product Management More About This Author >

The 2023 celebration of #CybersecurityAwarenessMonth focuses on establishing a secure behavior by following four simple steps – using strong passwords and a password manager, deploying MFA wherever possible, keeping software constantly updated, and recognizing and reporting phishing attempts. Many organizations train employees to spot phishing emails, but few raise awareness of vishing phone scams.

Phishing vs. Vishing

“While email may still be the most common mechanism for social engineering, we increasingly see attacks via social media, platforms such as WhatsApp, physical compromise, snail mail, and phone calls,” says ethical hacker FC in a blog.

Most people are familiar with the term phishing, but not everyone knows about vishing. It is a type of fraudulent activity that falls under the general phishing category and aims to achieve the same objectives. Vishers use voice-altering software, text messages, social engineering, and fraudulent phone numbers to trick users into revealing sensitive information. Unlike other forms of phishing, vishing employs voice as the primary tool for deception. Smishing, on the other hand, is another form of phishing that utilizes SMS text messages to target users. It is often used in conjunction with voice calls, depending on the attacker's methods.

How do vishers operate?

Phishing attackers often send numerous email messages to a list of potential targets. In general, phishers use compelling email messages to trick users into replying with sensitive information or convince them to click a link where malware is hosted. Additionally, malicious attachments are also often used in some phishing attacks.

Vishing attackers typically use two methods to deceive their victims. The first method involves sending a text message to large quantities of potential victims from a long list of phone numbers. The message may ask the user to call the attacker's number. The second method is to create an automated message and use robo-dialing to contact potential victims. Computer-generated voice messages without any accent are used to gain trust. The voice message then tricks the user into connecting to a human agent who carries on with the scam, or it might ask the user to open a website controlled by the attacker.

When a cybercriminal gets someone on the phone, they use various social engineering techniques to appeal to the victim's basic human instincts of trust, fear, greed, and desire to help. The criminal may use one or all of these methods to convince the victim that they are doing the right thing, depending on the vishing scheme.

For example, scammers may impersonate an employee’s wife, asking the HR department to get hold of the employee’s phone number urgently. Another typical example is pretending to be a grandchild, asking their grandparent for money to help in a difficult situation.

Scammers are primarily financially motivated. They will use all their “charm” to convince their victims to divulge bank account information or credit card details. They may even ask the victim to take action by transferring funds, emailing confidential work-related documents, or providing details about their employer.

How to prevent vishing attacks

A vishing attempt is an attack that requires time. The scammer needs to gain the victim’s trust or need to amplify emotions of fear or greed to convince them to take the next step.

However, awareness of this social engineering method is the most essential step to prevent vishing. Organizations must educate users to help them recognize vishing attacks and report them. In addition, individuals should be cautious of giving out personal information to someone who contacts them via text or voice calls. Any legitimate institution will provide a primary number to call, enabling you to verify that the call is official before sharing any sensitive details.

Another way to protect ourselves against vishing is to think rationally and identify when someone is trying to play with our emotions by inserting pressure. The best way of doing this is to pause, think about the conversation, and then act. Remember that banks will never ask you to disclose any financial data. And if the scammer pretends to be your son or daughter, you can always call them back to check the story's validity.

Finally, a reasonable precaution is to ignore calls or messages from unknown numbers and block these calls on your mobile phone. If the scammer employs sophisticated tactics like spoofing the caller ID, never give any sensitive information regardless of where the caller claims to work.

So, to keep yourself cyber safe, follow these simple four steps. Happy Cybersecurity Awareness Month!