Vishing or Voice Phishing Explained

Scammers have taken fraud to the next level. And it is not a surprise if you’re a recent victim of a vishing attack. Cybercriminals are utilising dark web tech savvy skills to steal money, and identity. Aside from the__ COVID-19 scam__ among other scamming tricks—they’re now posing as Social Security to fool us to reimburse money through Bizam.

What is Bizum? This is a trending scam tactic that Internet User Security has warned about. It depicts Social Security and asks for some contribution to Bizam. To succeed in this fraud, the vishing scheme is executed. Vishing is more like an equivalent of the phishing scam technique—only it’s done on calls.

Usually, the scammer will use social engineering techniques to bypass mobile security and deceive you through phone calls. They’ll often pretend to be, say, a company like Social Security, or a technical worker looking to help solve a suspicious technical problem.

Under this situation, the criminal tends to convince you to share your valuable details. For instance, they would trick you to confirm some info like your email address, or social security number.

What is Vishing?

Also known as voice phishing—vishing is simply the use of telephony—usually Voice over IP (VoIP) telephony—to conduct phishing frauds. Vishing criminals are repeatedly using modern VoIP features like automated systems (IVR), and caller ID spoofing to delay detection by law enforcement agencies.

Voice phishing is usually used to steal your credit card details, or other valuable info that is often used in identity theft schemes. Although sometimes criminals would use live callers—they often prefer voice phishing scams which are conducted through automated text-to-speech systems. The goal is to direct, or convince you to dial a number that is obviously controlled by the scammer.

Types of Vishing or Voice Phishing

1. Voice over IP (VoIP). VoIP is a web-based phone system that makes vishing much easier by allowing for multiple technologies to run in pairs. To make a spam call, the scammers uses VoIP-connected servers.

2. Caller ID spoofing. This is when a phone network is altered to show a fake number on your caller ID. Various companies have certain programs, or devices that allow caller ID spoofing.

Such programs, or devices can be used to fill a caller ID with a specific Bank name, or credit union. Sometimes you can just write Credit Union, or Bank, and that’s what is shown as the caller ID.

3. Dumpster diving. Just as it sounds, Dumpster diving involves a criminal digging for the valuable info on a bank’s dumpster to get a list of mobile numbers. With this info at hand, the scammer can program the numbers into their system, and plan for a special spam call attack.

4. War dialling. Scammers are often using automated systems with special messages concerning banks, or credit unions to call different area codes. If, say, you get hooked on a spam call, a recorded voice message will start asking for your credit card, or bank account details.

Common Methods of Vishing Scams

Cybercriminals will often use social engineering schemes to convince you to pay some money, or give away your sensitive info. Usually, a thief will attempt to create a sense of urgency, or impose fear of some sort of authority to leverage against you. Here are some common methods of Vishing.

1. Imposter Scammers: Some criminals will pretend to be an important person, or a company that is relative to you. They then use your relationship with this important person, or company to leverage and commit fraud. Here are some examples of Imposter scams you should watch for.

• Tech Support Fraud. Here, the fraudster pretends to be the tech support and claims there’s a technical issue on your device that needs special attention. The criminal will always employ a sense of urgency to gain control over your device, remotely.

• They do this by sending an email with a link that prompts you to run some program that’s intended to diagnose the supposed problem, only it instals spyware in your system.

• IRS Scam. Here, the fraudster calls and pretends to be an ISR immigration officer, and threatens an arrest, or deportation if, say, you don’t pay off their debts; even if this debt thing isn’t certainly a real case.

• Romance Fraud. The scammer here pretends to be a potential love interest via some online dating application to create curiosity, and trigger a trapping conversation. Sometimes, they may pose as your EX fiance, and ask for emergency funding of some sort.

2. Investment Fraud: This kind of scam involves a criminal who’s pretending to be some kind of financial expert to trick you into offering some bucks for an investment.

3. Credit Repair and Debt Relief Fraud. A potential thief may also pose as an organisation, and claim to relieve you from some debt, or repair your credit score. The hacker then requests a company service fee. This is how a thief steals your money if, say, you get a little careless.

4. Charity Fraud. This happens when a cybercriminal poses as a member of some charity organisation to convince you to donate money to their cause. Usually, the fake organisation doesn’t do any charity work. Instead, the donated money only goes straight to the thief’s pocket.

5. Parcel Scam. In most cases, parcel scams often target the immigration community. A scammer claims that you have a parcel that needs to be picked up. Generally, they would pretend to be some courier company. Once you’re hooked on the game—things get more interesting. Let me explain.

The nonexistence package now seems to be linked to another nonexistent financial criminal case. So, the criminal who’s pretending to be a courier company forwards the matter to another criminal who’s now posing as a police officer of the subjected foreign country.

Moreover, the fake officer then explains how you’re a suspect of fake money laundering activity, and, therefore, you need to be investigated. You get sucked into the fraud, even more, when the officer convinces you that you might only be a victim of identity theft.

Further, the first criminal now convinces you to send some fee to the fake police to investigate the matter. And throughout the process, the criminal takes some extra caution to convince you that they’re not scammers by reiterating that the police won’t ask for your personal, or bank details.

6. Auto Warranty Fraud. If you’re targeted for this scam—the criminal will likely call you regarding your vehicle’s warranty, and provide an option for renewing it online.

Such offers tend to be legit if, say, the scammer has info about your car. They’re always hoping that this trick will lure you into sharing your personal details, or buy the fake auto warranty renewal.

7. Kidnapping Fraud. This one here will often scare someone and pull the emotions out of them. Normally, someone would call and tell you that they have kidnapped your child, or a close relative then demand a ransom payment.

Criminals who do this appear to have either conducted thorough research beforehand, or they’re applying social engineering techniques and assumptions, to glean information about your close relatives from you. Although this scam can target anyone—the elderly are almost often the targets.

Because scammers think that an elderly person is more vulnerable to fraud compared to the average man. They assume that these people have children, or grandchildren somewhere. And they’ll even threaten to harm them if, say, the victim hangs up the call.

Sometimes scammers may let their victim speak to their supposed abducted relative—and thanks to the confusion, fear and phone effects on someone’s voice—the victim may not notice the difference, and may only think that their kin has surely been kidnapped.

How to Detect Vishing

A straightforward technique for detecting vishing is to make use of blacklists. Recent studies have attempted to create accurate differences between legit, and vishing scams by applying data analysis, and artificial intelligence (AI).

By analysing and converting voice calls to text messages, AI mechanisms like natural language processing can be used to detect vishing frauds.

How to Protect Yourself From Vishing Attacks?

Here’s the short version of how you can avoid being a victim of phone scams.

• Avoid responding to unknown numbers
• Avoid sharing your personal details, especially on the phone.
• Don’t trust caller ID 100%
• Don’t call the numbers that are given by unknown callers, or those displayed on caller ID.

Here’s a more detailed version of how you can protect yourself from vishing attacks.

1. Financial institutions like banks don’t call or text their clients and ask for information like passwords. Such attempts are common scamming tactics used to steal the dollar, or your identity.

2. Don’t show your identity proof to a stranger or anyone without a genuine reason.

3. Never click on links to access your bank’s site. In most cases, chances are, it’s a phishing site that wants to redirect you to their impersonating site to capture your banking details. Always only access your bank’s website by typing your bank’s genuine URL in your browser’s address bar.

4. Avoid responding to calls or voicemail messages that prompt you to verify or update your User ID, credit card details, or passwords. Notify your bank of such attempts. In the event, you accidentally revealed your personal info, change your password immediately.

5. Always keep in mind that sensitive information such as passwords or PINs, for example, are strictly only for you. This info can’t be revealed even to bank personnel or the directors themselves.

Frequently Asked Questions (FAQs)

1. What is a Vishing Attack?

Voice phishing or vishing is the act of instilling fear or causing panic to a victim through a spam call. This may include a solution to a fake problem, or some fake offers like a discounted auto warranty renewal.

The goal of vishing is to attain sensitive info that only results in direct compromise of the victim. Also, hackers may fake, or spoof their mobile numbers to add authenticity to a scam. Sometimes they can use voice changers to hide their identity.

2. What Does Vishing Mean?

Vishing is a modern-day cybercrime that involves telephony (VoIP) to commit phishing scams like stealing someone’s valuable info as a result of identity theft. Criminals often employ social engineering techniques to convince you to share this information.

3. What is the Difference Between Phishing and Vishing?

Phishing is a type of social engineering where a hacker sends a spam text or email to trick you into giving up your personal details, or perform an action—in this sense, running a program—like installing a malicious program into your system to compromise your mobile security. Phishing often involves emails, and messaging platforms.

Meanwhile, Vishing is the use of VoIP technology to commit cyberattacks through automated recordings, or real calls. Both scam methods have a common goal except one uses messaging platforms and the other uses phone calls.

4. What is Vishing in Cyber Crime?

Vishing in cybercrime is the act of making a fraudulent call, or a spam call to unsuspecting persons, in most cases, elderly people.

Further, the spammer tends to deliver fearsome messages to cause panic and hope that the victim will fall into their trap, and give up their essential information. This could be their social security details, or bank details. Sometimes they can ask you to buy fake offers.

5. What is Vishing in Cyber Crime?

Vishing in cybercrime is the act of making a fraudulent call, or a spam call to unsuspecting persons, in most cases, elderly people.

Further, the spammer tends to deliver fearsome messages to cause panic and hope that the victim will fall into their trap, and give up their essential information. This could be their social security details, or bank details. Sometimes they can ask you to buy fake offers.

Final Thoughts

An effective mitigation strategy is to teach, or train the general public to acknowledge the traits of vishing frauds as well as how to detect phishing messages.

A more technical approach, however, is to utilise a software detection technique to enhance mobile security. Usually, such mechanisms can distinguish between spam calls, and legit calls, or texts. Also, they can be more cheaply implemented compared to public training.