Vishing (voice phishing) is a cybercrime in which hackers use a phone to steal targets’ private information for money, fame and self-satisfaction. Vishing is similar to phishing and smishing, which also aim to defraud people by obtaining sensitive personal information. The most common form of vishing is a phone call that sounds urgent or threatening. Cybercriminals use sophisticated social engineering techniques to persuade victims to respond, leading to the disclosure of personal information and access to bank accounts.
Voice phishing attacks have become increasingly common in recent years, with offenses costing victims $48 million in 2018. As of April 2019, there were 70,000 suspicious calls reported in the U.K. alone. However, in 2020, due to the worldwide shift to remote work, the rate of vishing has increased over 11 times since 2016.
To avoid detection by investigators, vishing scammers commonly use sophisticated Voice over Internet Protocol (VoIP) technologies such as caller ID spoofing and automated systems.
Scammers usually target immigrants and the elderly who are not digitally savvy. The victims are pressured to pay any amount to avoid a series of threats.
Hackers aren’t just after personal bank account details. By impersonating Microsoft or Apple telephone services, scammers can advance in collecting login data from the users of those products.
What Is the Definition of Vishing?
Vishing has become one of the most severe risks online, regardless of the victim’s country, profession or other demographic variables. The term “vishing” refers to an old-fashioned phone fraud scheme that combines the words “voice” and “phishing.”
The term “phishing” was first used in Koceila Rekouche’s hacking toolkit, AOHell, in 1995. Khan C. Smit, a well-known fraudster and programmer, is believed to have originated the phrase “phishing” in the mid-1990s. However, a phishing strategy was presented in a conference contributing to the 1987 International HP Users Group, Interex.
The word is a vernacular variation of fishing (“ph” is a popular alternative for “f”) and relates to the employment of more worldly enticement to “fish” for sensitive information from users. The name was coined during the early days of America Online (AOL) phishing because the image of a fish is the single most frequent element of HTML in all chat archives by default and hence could not be identified by AOL staff. The hacker used words related to stolen credit cards, accounts or unlawful actions to replace the fish symbol. Because the character resembled a fish, and because phreaking (a sensational spelling of “freak”) was popular, it was renamed “phishing.”
How Are Vishings Used?
Every vishing success is based on social engineering, which entails persuading people to act in an uninformed manner. However, there are other specific techniques employed by attackers to gain access to essential information.
Some of the techniques hackers use in vishing attacks are given below.
- Wardialing: In investigating weak points in an information system’s security infrastructure, wardialing typically focuses on a specific area code and uses the name of a local institution to hunt for real customers. The cybercriminal uses software to dial specific area numbers involving known banks, companies, law enforcement agencies or other regional institutions. Hackers utilize automated messages to get the caller’s full name, credit card number, bank account number, mailing address and Social Security number. Hackers may need this information to confirm the victim’s account has not been infiltrated or validate account details based on the recorded message.
- Voice over Internet Protocol (VoIP): Often known as IP telephony, VoIP is a technology that allows unscrupulous hackers to create fake phone numbers via the internet. VoIP aids callers in faking their identities and can establish local phone numbers or 1 to 800 extensions. To appear authentic to users, attackers can make the VoIP numbers imitate governments, health care institutions or law enforcement offices.
- Dumpster Diving: Dumpster diving involves searching through people’s waste for hidden treasure. The technique is used in information technology (IT) to recover information such as real phone numbers from discarded items. The information gathered could be used to launch an attack or obtain access to a computer system. Attackers can look for information in dumpsters around buildings, banks, organizations and other venues to accomplish vishing.
- Caller ID Spoofing: Hackers use caller ID spoofing to change the caller’s genuine identity so that the name or number displayed to the call recipient looks authentic. Vishers frequently employ caller ID spoofing to appear trustworthy or known to the call recipient. They may use a fictitious name or claim to be a legitimate phone call from the government, tax authorities, police, banks, health organizations and other well-known institutions.
What Are the Common Examples of Vishing?
Vishing is increasingly rampant on the modern internet. The most common vishing scenarios are detailed below.
1. ‘Compromised’ Bank or Credit Card Account
Caller ID spoofing is the technique used in this example. Attackers call the victim using a fake phone number in an attempt to sound familiar and helpful. Hackers can impersonate a bank representative notifying of strange activity on the victim’s accounts, such as a recent transaction or refund procedure.
To rectify the problem, the hacker then requests confirmation of the user’s bank account information, passcode, email address and other pertinent information. Hackers will utilize the information to execute identity theft and withdraw funds from the victim’s bank account.
This is important:Victims should be cautious about disclosing critical information over the phone in this situation. Organizations are aware of cyber threats and will never ask for vital information over the phone. Victims must also pay attention to the caller’s urgency and tone of approach.
2. Unsolicited Loan or Investment Offers
Attackers can use any vishing technique, be it dumper diving or VoIP, to carry out this attack. Scammers may pose as employees of governmental bodies or well-known non-governmental organizations. According to the caller, this information is essential to approve the offer and ensure that the victim receives the request promptly. To make their offer appear authentic, these fraud schemes may include SMS messages from the scammer.
Cybercriminals use deception to persuade naive victims to provide private information. They will inform victims to pay a redemption fee to receive the offer. The idea behind this is that scammers only want to get the money and vanish.
3. IRS Tax Scam
The caller claims to be representing the Internal Revenue Service or other prominent government units. A hacker may contact the user to validate personal details. To convince consumers to provide all necessary information, the caller may threaten to withhold tax refunds or imprison victims.
Warning:Fraudsters may employ SMS messages to make the demand look authentic.
4. Medicare or Social Security Scam
Caller ID spoofing is used in Social Security or Medicare scams, alongside other effective strategies.
The criminal impersonates government representatives from agencies such as the Social Security Administration or the Centers for Medicare and Medicaid Services. Under the pretense of assisting victims in registering or receiving payments, the fraudsters obtain the necessary banking details.
Using dumper diving, criminals have also targeted small business owners seeking COVID relief loans through the Small Business Administration’s Paycheck Protection Program. However, this cyber threat has been in action before the COVID-19 outbreak. During that time and when the vaccines began to be distributed, the deception grew even more.
How Common Are Vishing Attacks?
Since the late 1980s, the term “vishing” has been widely used. Vishing is just as common as the other forms of phishing; the only difference between this cyberattack and phishing itself is the way it’s written (“v” in place of “ph”).
Over the last several decades, vishing attacks have adversely affected many people and organizations. One research report found that 75% of scam victims claim that the perpetrators already had some confidential information about them, which they then used to get more information.
Moreover, vishers’ financial growth is dependent on the frequency of attacks. However, the Federal Bureau of Investigation’s Internet Crime Complaint Center has revealed that social engineering crimes, such as vishing, cost victims over $54 million in 2020 alone.
What Are the Statistics about Vishing?
Vishing, like phishing, is a prevalent global cyber threat. Relevant statistics about vishing and its impacts are listed below.
- The FBI’s Internet Crime Complaint Center logged 241,342 victims of phishing, vishing, smishing and pharming in 2020, more than double 2019’s total of 114,702 victims.
- The global information security market is expected to reach $170.4 billion in 2022.
- Only 6% of people who reported government imitation vishing scams lost money, but those who did averaged $960 in losses.
- Approximately 28% of all vishing used personal information to target victims.
- Attacks on U.S. firms were successful in 74% of cases. Although 95% of companies claim to provide phishing education to their staff, phishing has been the most common threat to causing a security breach.
- Phishing is involved in 22% of data breaches.
- About 75% of scam victims say that scammers already had personal information before obtaining extra details.
- Vishing attacks have become more common in recent years. Scam calls accounted for over 30% of all incoming cell phone calls in 2018.
- The average cost per breached record has climbed consistently over the last three years. The price in 2019 was $150. Marriott’s most recent data breach resulted in the theft of 5.2 million guests’ data. The cost of the breach may be as high as $780 million.
- 60% of businesses lost data as a result of a successful phishing assault.
- Credentials or accounts were compromised in 52% of organizations.
- Financial losses were recorded by 18% of enterprises.
- As of Jan. 17, 2021, Google had registered 2,145,013 phishing sites. This represents a 27% gain in 12 months from $1,690,000 on Jan. 19, 2020.
- In the U.S., phishing attacks were successful in 74% of firms. This is 30% higher than the global average and 14% higher than the previous year.
- The market rate for a phishing webpage is $3 to $12.
- There are now approximately 75 times as many phishing sites on the internet as there are malware sites.
- Vishing, phishing, smishing and pharming cost victims $54.2 million in 2020.
Is Vishing Illegal?
Vishing is illegal, and it’s a type of cybercrime that leverages phones to obtain victims’ private information. Cybercriminals use intelligent social engineering strategies to defraud innocent people, a practice known as voice phishing.
On the other hand, the punishment for phishing is highly dependent on the circumstances of the case.
What Are the Laws Regarding Vishing?
As with many regulations, the crucial factor is motive: A visher must aim to get someone’s details for reasons different from what is presented. Phishing, like any other method of identity theft, requires only an attempt to identify a criminal. This means that even attempting to deceive others to obtain essential information might result in criminal charges and convictions.
Vishing laws may vary depending on the extent of official interference. The federal law on vishing, for example, differs from state law.
Note:There isn’t a single federal law that makes vishing a crime. However, phishing and other identity fraud offenses are covered by broader federal criminal laws. Because phishing is an internet-based offense, the federal law against bank fraud is frequently used to prosecute phishing activities on a national level.
According to the National Conference of State Legislatures, only a few states have explicit anti-phishing legislation in place. Even in states without clear phishing legislation, other criminal charges may apply to phishing activities.
State laws vary substantially. Although most phishing laws classify the offense as a felony, some offenses may be treated as a misdemeanor or felony in other states.
Some of the consequences of vishing are given below.
If convicted of a felony, a phishing conviction might easily result in a year or longer in prison. Felony convictions can result in prison sentences of up to five years, depending on the state. Convictions for misdemeanors can result in up to a year.
Probation usually is for a period of 1 to 3 years or more. However, it may last longer in some situations. And this penalty is generally imposed when a crime has not yet been confirmed.
A restitution order will be issued if the phishing activity results in financial losses. Restitution mandates the attacker to make amends for the loss. Though the amount varies depending on the circumstances, restitution is always paid in addition to any fines.
The fines for misdemeanors and felonies usually vary. If the fine for a misdemeanor is a few thousand dollars, the felony penalty could be $10,000 or more per offense.
How to Detect a Vishing Attack?
The signs to look out for to detect a vishing attack are given below.
- Request for Confidential Information: Attackers may request sensitive information from victims, such as name, address, birth date, Social Security number, bank account information and other identifying information. Attackers may also try to give the impression of legitimacy by revealing obtained information to victims. The goal is to get the missing information that the attacker lacks.
- Unrequested governmental aid: Cybercriminals pose as government officials to obtain sensitive information. None of these government agencies will ever contact people by phone call to request financial details unless one specifically requests it. It is advisable to avoid any unsolicited calls impersonating government officials.
- Sense of Fear and Urgency: Scammers will use threats of arrest warrants and bank issues to manipulate the victim’s fear. Any call that sounds urgent with fear should be avoided. Users should also avoid giving out important details over the phone; hang up and conduct thorough research.
How to Protect Yourself from Vishing?
Vishing protection is necessary for both organizational and individual safety. Some vishing prevention strategies are provided below.
- Do not disclose confidential information over the phone.
- Before responding to any caller, consider the information given and the tone of the message delivered.
- Ignore calls from unknown numbers.
- Answering inquiries regarding one’s personal information, workplace or home address is not a good idea.
- Make sure the caller is who they say they are. Look up any company’s official public phone number and call the line directly.
- Learn to ask revealing questions.
- If the caller is offering a free reward or selling something, demand confirmation of who they are and where they work.
- Scrutinize business web apps regularly for unauthorized or unusual activity. Authorized user access logs should be checked and routinely audited.
- Educate yourself about vishing and its techniques to stay updated with cybersecurity.
What to Do If You Become a Vishing Victim?
The art of vishing is growing increasingly complex, and more people are becoming victims. This can be upsetting, but don’t fret; there are things you can do if you become a victim of vishing. Follow the steps given below.
- Don’t panic.
- Report the situation.
- File a report with the FBI’s Internet Crime Complaint Center, the Federal Trade Commission and the National Do Not Call Registry.
- Change the passwords on all accounts.
- Alert all your banks, payment service providers and government offices, and then keep a close eye on your finances.
- Make a refund request.
- Try to avoid any vishing opportunities in the future.
What Is the Difference Between Phishing and Vishing?
Although vishing is one of the phishing types, the channel of operation is what distinguishes phishing from vishing. Phishing is a type of email attack in which the attacker pretends to be from a relevant, trusted company to get sensitive information from consumers through electronic contact. Vishing, on the other hand, relies on verbal communication to carry out the entire scam. As a result, most vishing attacks take place over the phone, though some occur on desktops and laptops.
What Is the History of Vishing?
Because vishing is a subset of phishing and they are jointly linked, the history of vishing can be traced back to when phishing started.
Phishing is one of the oldest cyber threats.
Around 1995, hackers who gained access to America Online (AOL) accounts and passwords coined “phishing.” Khan C. Smith, the famous hacker, is believed to have originated the phrase “phishing” in the mid-1990s. However, the word may have first appeared in print in 1995 in the journal 2600, The Hacker Quarterly.
Internet criminals used email lures to fool users and “fish” for passwords and financial information during that time. While most people would not fall for the deception, the hackers knew that a few would. The message includes obligations such as “check your account” or “verify billing details” to persuade the recipient into divulging critical information.
Hackers switched to phishing for real accounts when AOL adopted protections in late-1995 to prohibit the use of fake, computer-generated credit card details to open accounts. Since then, phishing attacks in various forms have been reported.