vishing
   HOME

TheInfoList



OR:

Voice phishing, or vishing, is the use of telephony (often
Voice over IP Voice over Internet Protocol (VoIP), also called IP telephony, is a method and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. The terms Internet t ...
telephony) to conduct
phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwa ...
attacks. Landline telephone services have traditionally been trustworthy; terminated in physical locations known to the telephone company, and associated with a bill-payer. Now however, vishing fraudsters often use modern
Voice over IP Voice over Internet Protocol (VoIP), also called IP telephony, is a method and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. The terms Internet t ...
(VoIP) features such as
caller ID spoofing Caller ID spoofing is the practice of causing the telephone network to indicate to the receiver of a call that the originator of the call is a station other than the true originating station. This can lead to a caller ID display showing a phone ...
and automated systems (
IVR Interactive voice response (IVR) is a technology that allows telephone users to interact with a computer-operated telephone system through the use of voice and DTMF tones input with a keypad. In telecommunications, IVR allows customers to interac ...
) to impede detection by law enforcement agencies. Voice phishing is typically used to steal credit card numbers or other information used in
identity theft Identity theft occurs when someone uses another person's personal identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. The term ''identity theft'' was c ...
schemes from individuals. Usually, voice phishing attacks are conducted using automated text-to-speech systems that direct a victim to call a number controlled by the attacker, however some use live callers. Posing as an employee of a legitimate body such as the bank, police, telephone or internet provider, the fraudster attempts to obtain personal details and financial information regarding credit card, bank accounts (e.g. the PIN), as well as personal information of the victim. With the received information, the fraudster might be able to access and empty the account or commit identity fraud. Some fraudsters may also try to persuade the victim to transfer money to another bank account or withdraw cash to be given to them directly. Callers also often pose as law enforcement or as an Internal Revenue Service employee. Scammers often target immigrants and the elderly, who are coerced to wire hundreds to thousands of dollars in response to threats of arrest or deportation. Bank account data is not the only sensitive information being targeted. Fraudsters sometimes also try to obtain security credentials from consumers who use Microsoft or Apple products by spoofing the
caller ID Caller identification (Caller ID) is a telephone service, available in analog and digital telephone systems, including voice over IP (VoIP), that transmits a caller's telephone number to the called party's telephone equipment when the call i ...
of
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washin ...
or
Apple Inc. Apple Inc. is an American multinational technology company headquartered in Cupertino, California, United States. Apple is the largest technology company by revenue (totaling in 2021) and, as of June 2022, is the world's biggest company ...
Audio deepfake The audio deepfake is a type of artificial intelligence used to create convincing speech sentences that sound like specific people saying things they did not say. This technology was initially developed for various applications to improve human life ...
s have been used to commit fraud, by fooling people into thinking they are receiving instructions from a trusted individual.


Terminology

* Social engineering - The usage of psychological manipulation, as opposed to conventional hacking methods, to gain access to confidential information. *
Caller ID spoofing Caller ID spoofing is the practice of causing the telephone network to indicate to the receiver of a call that the originator of the call is a station other than the true originating station. This can lead to a caller ID display showing a phone ...
- A method by which callers are able to modify their
caller ID Caller identification (Caller ID) is a telephone service, available in analog and digital telephone systems, including voice over IP (VoIP), that transmits a caller's telephone number to the called party's telephone equipment when the call i ...
s so that the name or number displayed to the call recipient is different than that of the caller. Phishers will often modify their numbers so that they appear familiar or trustworthy to the call recipient. Common methods include spoofing a number in the call recipient's area code or spoofing a government number so that the call appears more trustworthy or familiar and the potential victim is more likely to answer the call. * Voice over Internet Protocol (VoIP) - Also known as IP telephony, VoIP is a technology that allows voice calls to be made over the internet. VoIP is frequently used in vishing attacks because it allows callers to spoof their caller ID.


Motives

Common motives include financial reward, anonymity, and fame. Confidential banking information can be utilized to access the victims’ assets. Individual credentials can be sold to individuals who would like to hide their identity to conduct certain activities, such as acquiring weapons. This anonymity is perilous and may be difficult to track by law enforcement. Another rationale is that phishers may seek fame among the cyber attack community.


Operation

Voice phishing comes in various forms. There are various methods and various operation structures for the different types of phishing. Usually, scammers will employ social engineering to convince victims of a role they are playing and to create a sense of urgency to leverage against the victims. Voice phishing has unique attributes that separate the attack method from similar alternatives such as email phishing. With the increased reach of mobile phones, phishing allows for the targeting of individuals without working knowledge of email but who possess a phone, such as the elderly. The historical prevalence of call centers that ask for personal and confidential information additionally allows for easier extraction of sensitive information from victims due to the trust many users have while speaking to someone on the phone. Through voice communication, vishing attacks can be personable and therefore more impactful than similar alternatives such as email. The faster response time to an attack attempt due to the increased accessibility to a phone is another unique aspect, in comparison to an email where the victim may take longer time to respond. A phone number is difficult to block and scammers can often simply change phone numbers if a specific number is blocked and often find ways around rules and regulations. Phone companies and governments are constantly seeking new ways to curb false scam calls.


Initiation mechanisms

A voice phishing attack may be initiated through different delivery mechanisms.  A scammer may directly call a victim and pretend to be a trustworthy person by spoofing their caller ID, appearing on the phone as an official or someone nearby. Scammers may also deliver pre-recorded, threatening messages to victims’ voicemail inboxes to coerce victims into taking action. Victims may also receive a text message which requests them to call a specified number and be charged for calling the specific number. Additionally, the victim may receive an email impersonating a bank; The victim then may be coerced into providing private information, such as a PIN, account number, or other authentication credentials in the phone call.


Common methods and scams

Voice phishing attackers will often employ social engineering to convince victims to give them money and/or access to personal data. Generally, scammers will attempt to create a sense of urgency and/or a fear of authority to use as a leverage against the victims. * Imposter scammers pose as an important person or agency relative to the victim and use the victim's relationship with the important person or agency to leverage and scam money. ** IRS scam: The scammer poses as an IRS official or immigration officer. The scammer then threatens deportation or arrest if the victim does not pay off their debts, even if the victim does not actually have any debt. **
Romance scam A romance scam is a confidence trick involving feigning romantic intentions towards a victim, gaining the victim's affection, and then using that goodwill to get the victim to send money to the scammer under false pretenses or to commit fraud ag ...
: The scammer poses as a potential love interest through dating apps or simply through phone calls to reconnect with the victim as a lover from the past who needs emergency money for some reason, such as for travel or to pay off debts. Social engineering is used to convince victims that the scammer is a love interest. In extreme cases, the scammer might meet up with the victim and take photos of sexual activities to use as leverage against the victim. ** Tech support scam: The scammer poses as a tech support and claims that there is an urgent virus, or a severe technical issue on the victim's computer. The scammer may then use the sense of urgency to obtain remote control of the victim's computer by having the victim download a special software to diagnose the supposed problem. Once the scammer gains remote control of the computer, they can access files or personal information stored on the computer or install malware. Another possibility is that the scammer may ask the victim for a payment to resolve the supposed technical issue. * Debt relief and credit repair scams ** Scammer poses as a company and claims an ability to relieve debt or repair credit. The scammer requests a company fee for the service. Usually, performing this action will actually reduce credit score. * Business and investment scams ** Scammers pose as financial experts to convince victims to offer money for investments. * Charity scams ** Scammers pose as charity members to convince the victim to donate to their cause. These fake organizations do not actually do any charity work and instead, any money donated goes directly to the scammers. * Auto warranty scams ** Scammers make fake calls regarding the victim's car warranty and offer the option to renew the warranty. The caller may have information about the victim's car, making their offer appear more legitimate. Callers may use auto warranty scams to gather personal information about their victims, or to collect money if victims decide to purchase the proposed warranty. * Parcel scams ** Targeting immigration populations, scammers claim that the victim has a parcel that needs to be picked up. The scammer initially poses as a courier company. The nonexistent parcel is connected to a financial criminal case. The scammer, posing as a delivery company, transfers the victim to another scammer posing as a police of a foreign country. The scammer posing as police will claim the victim is suspected and needs to be investigated in a fake money laundering investigation. This is done by convincing the victim that their identity was stolen. The scammer then convinces the victim to send money to the “police” to conduct an investigation on the money in their bank. Throughout the process the scammer may take extra steps to claim they are not scammers by reiterating that the police will not ask for personal credentials or bank account information. * Kidnapping scams ** Scammers will call and claim that they have kidnapped a close relative or loved one. This is done by either doing research beforehand or using social engineering tactics and assumptions to glean information of the relative off of the victim. For example, since elderly are more vulnerable to scams compared to the average population, the scammers can assume that the elderly probably have children or grandchildren. The scammer will threaten to harm the relative if the victim hangs up. In certain cases the scammer will even let victims talk to the “abducted relative'' but due to fear, confusion, and the effect of the phone on a person's voice, the victim may fail to notice that the fake abducted relative is not actually the relative.


Detection and prevention

Voice phishing attacks can be difficult for victims to identify because legitimate institutions such as banks sometimes ask for sensitive personal information over the phone. Phishing schemes may employ pre-recorded messages of notable, regional banks to make them indistinguishable from legitimate calls. Additionally, victims, particularly the elderly, may forget or not know about scammers’ ability to modify their caller ID, making them more vulnerable to voice phishing attacks. The US Federal Trade Commission (FTC) suggests several ways for the average consumer to detect phone scams. The FTC warns against making payments using cash, gift cards, and prepaid cards, and asserts that government agencies do not call citizens to discuss personal information such as Social Security numbers. Additionally, potential victims can pay attention to characteristics of the phone call, such as the tone or accent of the caller or the urgency of the phone call to determine whether or not the call is legitimate. The primary strategy recommended by the FTC to avoid falling victim to voice phishing is to not answer calls from unknown numbers. However, when a scammer utilizes VoIP to spoof their caller ID, or in circumstances where victims do answer calls, other strategies include not pressing buttons when prompted, and not answering any questions asked by a suspicious caller. On March 31, 2020, in an effort to reduce vishing attacks that utilize caller ID spoofing, the US Federal Communications Commission adopted a set of mandates known as
STIR/SHAKEN STIR/SHAKEN, or SHAKEN/STIR, is a suite of protocols and procedures intended to combat caller ID spoofing on public telephone networks. Caller ID spoofing is used by robocallers to mask their identity or to make it appear the call is from a legit ...
, a framework intended to be used by phone companies to authenticate caller ID information. All U.S. phone service providers had until June 30, 2021, to comply with the order and integrate
STIR/SHAKEN STIR/SHAKEN, or SHAKEN/STIR, is a suite of protocols and procedures intended to combat caller ID spoofing on public telephone networks. Caller ID spoofing is used by robocallers to mask their identity or to make it appear the call is from a legit ...
into their infrastructure to lessen the impact of caller ID spoofing. In some countries, social media is used to call and communicate with the public. On certain social media platforms, government and bank profiles are verified and unverified government and bank profiles would be fake profiles.


Solutions

The most direct and effective mitigation strategy is training the general public to understand common traits of a voice phishing attack to detect phishing messages. A more technical approach would be the use of software detection methods. Generally, such mechanisms are able to differentiate between phishing calls and honest messages and can be more cheaply implemented than public training.


Detection of phishing

A straightforward method of phishing detection is the usage of blacklists. Recent research has attempted to make accurate distinctions between legitimate calls and phishing attacks using artificial intelligence and data analysis. By analyzing and converting phone calls to texts, artificial intelligence mechanisms such as natural language processing can be used to identify if the phone call is a phishing attack.


Offensive approaches

Specialized systems, such as phone apps, can submit fake data to phishing calls. Additionally, various law enforcement agencies are continually making efforts to discourage scammers from conducting phishing calls by imposing harsher penalties upon attackers.


Notable examples


IRS Phone Scam

Between 2012 and 2016, a voice phishing scam ring posed as Internal Revenue Service and immigration employees to more than 50,000 individuals, stealing hundreds of millions of dollars as well as victims’ personal information. Alleged co-conspirators from the United States and India threatened vulnerable respondents with “arrest, imprisonment, fines, or deportation.” In 2018, twenty-four defendants were sentenced, with the longest term of imprisonment being twenty years.


COVID-19 Coronavirus disease 2019 (COVID-19) is a contagious disease caused by a virus, the severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2). The first known case was identified in Wuhan, China, in December 2019. The disease quickly ...
Scams

On March 28, 2021, the Federal Communications Commission issued a statement warning Americans of the rising number of phone scams regarding fraudulent COVID-19 products. Voice phishing schemes attempting to sell products which putatively “prevent, treat, mitigate, diagnose or cure” COVID-19 have been monitored by the Food and Drug Administration as well.


Hollywood Con Queen Scam The "Con Queen" scam is a long-running and elaborate scam perpetrated by the so-called Hollywood Con Queen, an Indonesian impostor named Hargobind Punjabi Tahilramani who was eventually found and arrested. The con, which was successfully operated f ...

Beginning in 2015, a phishing scammer impersonated Hollywood make-up artists and powerful female executives in order to coerce victims to travel to Indonesia and pay sums of money under the premise that they'll be reimbursed. Using social engineering, the scammer researched the lives of their victims extensively in order to mine details in order to make the impersonation more believable. The scammer called victims directly, often multiple times a day and for hours at a time, in order to pressure victims.


Thamar Reservoir Cyberattack

The 2015 cyber attack campaign against the Israeli academic Dr. Thamar Eilam Gindin illustrates the use of a vishing attack as a precursor to escalating future attacks with the new information coerced from a victim. After the Iran-expert academic mentioned connections within Iran on Israeli Army Radio, Thamar received a phone call to request an interview with the professor for the Persian BBC. To view the questions ahead of the proposed interview, Thamar was instructed to access a Google Drive document that requested her password for access. By entering her password in to access the malicious document, the attacker can use the credentials for further elevated attacks.


Mobile Bank ID Scam

In Sweden, Mobile Bank ID is a phone app (launched 2011) that is used to identify a user in internet banking. The user logs in to the bank on a computer, the bank activates the phone app, the user enters a password in the phone and is logged in. In this scam, malicious actors called people, claimed to be a bank officer, claimed there was a security problem and asked the victim to use their Mobile Bank ID app. Fraudsters were then able to log in to the victim's account without the victim ever giving away their password. The fraudster was then able to transfer money from the victim's account. If the victim was a customer of the Swedish bank
Nordea Nordea Bank Abp, commonly referred to as Nordea, is a European financial services group operating in northern Europe and based in Helsinki, Finland. The name is a blend of the words "Nordic" and "idea". The bank is the result of the successive m ...
, scammers were also able to use the victim's account directly from their phone. In 2018, the app was changed to require users to photograph a QR code on their computer screen. This ensures that the phone and the computer are physically located in the same room, which has mostly eliminated this type of fraud.


See also

*
Phone fraud Phone fraud, or more generally communications fraud, is the use of telecommunications products or services with the intention of illegally acquiring money from, or failing to pay, a telecommunication company or its customers. Many operators hav ...
*
SMiShing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
*
Voice cloning Digital cloning is an emerging technology, that involves deep-learning algorithms, which allows one to manipulate currently existing audio, photos, and videos that are hyper-realistic. One of the impacts of such technology is that hyper-realistic ...
*
VoIP spam VoIP spam or SPIT (spam over Internet telephony) is unsolicited, automatically dialed telephone calls, typically using voice over Internet Protocol (VoIP) technology. VoIP systems, like e-mail and other Internet applications, are susceptible to a ...


References


External links

* https://www.bbc.co.uk/news/business-34425717 Legal career "hit by vishing scam" * https://www.bbc.co.uk/news/business-34153962 Caught on tape: How phone scammers tricked a victim out of £12,000 By Joe Lynam & Ben Carter BBC News * vnunet.com story
Cyber-criminals switch to VoIP "vishing"
* BBC News story
Criminals exploit net phone calls
* The Paper PC:

* The Register
FBI warns over "alarming" rise in American "vishing"
* Vice Media
How a Hacker Can Take Over Your Life by Hijacking Your Phone Number
An assessment of how call centre staff handle a vishing call. {{Spamming Fraud Computer security exploits Deception Telephony Voice over IP Social engineering (computer security)