What Is Vishing?
Vishing (or “voice phishing”) is a type of social engineering scam where an attacker tries to trick their target into surrendering sensitive data over the phone.
As with other social engineering attacks, these phone phishing scams prey upon human emotions—attackers often create false scenarios that cause panic (e.g., security alerts) or desire (e.g., winning a large sum of money) to inspire the target to disclose their passwords, financial details, and other personal information.
When it comes to defining vishing vs. phishing, the practices are quite similar—it’s the medium by which they are conducted that differentiate them.
In a phishing attack, hackers use written communications (e.g., email or instant message) to masquerade as a reputable source in order to steal a person’s credentials.
But with vishing, the scams take place over the phone rather than via email or text, and they’re becoming increasingly threatening. Today, attackers use voice over IP (VoIP) services to automate hundreds of scam calls over the internet at once, all while assuming the identity of a legitimate business. In some cases, attackers even research their targets beforehand to make their deceptions that much more convincing.
Scam calls around the globe grew by 18% in 2019, yet only 25% of employees in Proofpoint’s 2020 State of the Phish report could correctly define “vishing.” This suggests a large awareness gap when it comes to these attacks—and considering they exploit a lack of security know-how, it's crucial that we address it.
In this post, we’ll explore how vishing attacks work in depth and consider some preventative measures that IT teams and individuals can take to defend against them.
What is a vishing attack?
Vishing attacks differ in scope and strategy. The most common type of vishing takes a scattergun approach via war dialling, targeting many potential victims with automated calls in hope that a few respond. Scammers use war dialling to look for active phone numbers and may focus on targets in particular area codes.
Vishing attacks can also incorporate malware. Malicious web pages or downloads can trigger pop-ups that replicate the device’s operating system, encouraging victims to call a “support line” to address a technical or security issue. This is where the visher comes in, using a mix of real and automated voice responses to deceive the victim.
People who are tech-savvy or naturally cautious may find it easy to see through these lower effort vishing scams. Spear vishing, however, is much more threatening. As with spear phishing, attackers research and target their victims specifically, scraping information from social media profiles and prior data breach leaks to enrich their messages. This personal touch can split the difference between a scam call that’s easy to ignore and one that succeeds—a visher will more convincingly imitate your financial institution, for instance, if they know your address and who you bank with.
Spear vishing is a “high effort, high reward” approach, and vishers may find it worth the time to gather information and go after higher-value targets like executives, otherwise known as whaling. In these attacks, vishers may employ more sophisticated voice simulation technologies that can even impersonate specific people.
What are some common vishing examples?
Vishing scams usually follow one of these broad scenarios:
Urgent government calls
Whether it’s the “IRS” claiming you could face prison time for unpaid taxes or “the Social Security Administration” calling to inform you of problems, government impersonations are a popular form of vishing. They exert authority and instill urgency through fabricated emergencies involving your money—with the aim of stealing sensitive data such as social security and bank account numbers.
“Too good to be true” offers
Chances are you’ve come across some of these. A visher calls you with a fantastic offer that’s both implausible and unsolicited—you might have won a contest that you didn’t enter, or the visher could present you with an unprecedented loan or investment opportunity. A variation of this may ask for donations to a charitable cause, playing to your sense of morality. Either way, the scammer will make this fraudulent offer to convince you to hand over personal and financial information that they can then exploit.
Tech support fraud
We mentioned these scams above, where malware and adware influence victims to call vishers posing as support lines. These attacks prey upon people who are less familiar with technology and may struggle to separate genuine messages and calls from fraudulent ones. Kaspersky details a similar attack that combines vishing with ransomware—the latter locks a user’s device and provides them with a “tech support” number. On the other end, a visher posing as a technician will offer to “fix” the device for a price.
Bank account attacks
Impersonating financial institutions is a popular way for vishers to try and get rich, especially if they’ve already captured some of your personal information. Vishers are likely to go whaling with these attacks, as the bank accounts of executive business figures are particularly lucrative targets. Friday afternoons can be particularly dicey, as vishers are known to call while counting on targets being too distracted or worn out to scrutinise the call.
How does vishing impact organisations?
If a vishing attack is successful, and an organisation suffers a data breach, the consequences can be severe:
Reputational damage
Brands are built on trust, and a serious breach or leak can make an organisation appear untrustworthy to their customers, partners, and employees. Vishing scams in particular have the potential to poison a brand’s reputation—if an attacker successfully impersonates your organization, people may be much more hesitant to communicate with you. This is a major headache for enterprises that rely on speaking to their customers over the phone.
Intellectual property loss
Financial information isn’t always the end goal of a vishing scam. Trade secrets, customer profiles, research, designs, technologies, and other confidential data are all attractive targets, and all devastating if stolen. Vishing victims don’t have to explicitly surrender these details over the phone to jeopardise them—compromised account credentials alone could open up a variety of other opportunities.
Regulatory fines
Should any of your employees disclose information that enables a data breach, your organisation could get fined for mishandling or misusing customer data. Scrutiny from industry-specific regulators and supranational frameworks, like the CCPA and GDPR, could result in significant penalties. The GDPR, for instance, can issue fines up to €20 million, or 4% of your annual turnover.
Sustained financial losses
A loss of trust in your organisation can make customers and investors turn elsewhere. Beyond any monetary theft, fines, and compensation payments, this could be even more crippling for your business in the long run.
How can I prevent vishing?
In many cases, vishing prevention comes down to education. Here are some tips to help you recognise and counter vishing scams:
Tips for individuals
- Urgency is a huge red flag: Calls that compel you to take immediate action—whether due to legal trouble, security or technical issues, or financial opportunities—are more than likely vishing scams. Take a breath, avoid giving the caller any of your details, and make some notes about the call before hanging up. Then, you can independently research the call and contact any organisation the caller claims to represent.
- If it sounds too good to be true, it probably is: Keep this in mind for any unsolicited calls that approach you with offers.
- Government agencies are unlikely to call out of the blue: They’re also never going to demand information or money from you over the phone. If in doubt, trust your gut: hang up, find the real number for that organisation, and verify if they are trying to contact you.
- Caller ID is easy for vishers to fake: Don’t take it as evidence that a call is legitimate. Instead, ask the caller for information that would verify their identity and profession.
- Hang up as soon as you suspect something: You have no obligation to stay on the phone, and the less you engage, the better.
- Treat robocalls with caution: Don’t respond to any unsolicited robocalls or automated messages that ask you to press buttons or answer questions. Your responsiveness may cause vishers to identify you as a target for future scam calls, and they may record your voice to bypass voice verification on your accounts. In some countries, it’s also illegal for robocallers to sell you anything unless the company has your prior, written consent to do so.
If you’re wondering where to report phone scams, searching for consumer protection and cybercrime agencies in your country is a good starting point. Here are a few organisations in the U.S., Australia, New Zealand, and the European Union that you can refer to.
Tips for businesses
Looking to prevent vishing on behalf of your organisation? Consider the following:
- Incorporate vishing into security awareness training: This is a great way to boost vishing recognition around your workplace, particularly if you choose a training vendor with simulated vishing tests. This will help you discover vulnerabilities in your staff and bring home the nature of the threat.
- Strengthen your defense against credential theft: Okta and Proofpoint integrate together to protect users from credential theft across common workforce apps where vishers might execute attacks.
- Apply stronger authentication factors: Vishers frequently try and obtain passwords, so introducing additional authentication factors will minimise the damage of compromised credentials. Choose factors that vishers are unable to guess or obtain, like OTP push notifications, hard tokens, and biometric identifiers.
As the threat landscape continues to evolve, and attacks become more sophisticated, it’s essential to protect your organisation from every angle. Check out our Adaptive MFA solution and our eight-step deployment guide to block out vishers with strong authentication—or get started with Zero Trust to build a security architecture that vishing scams won’t break.