Vishing, or voice phishing is a type of digital fraud that employs voice communication to trick victims — for example, to extract personal data, such as online account details or financial information.
As with other types of phishing, vishing attacks use social engineering to gain the victim’s trust, scare or confuse them, or create a sense of urgency. Attackers (“vishers”) may pose as employees of reputable companies, acquaintances of the victim, police officers, or government officials.
The term “vishing” can apply to both data-theft scams and any kind of telephone fraud, including when victims are lured into transferring money or installing malware.
Methods of attack
Vishers can:
- Call the potential victim. This may involve the use of IP telephony to spoof the number displayed on the target device.
- Send a phone number to the potential victim by text, instant message, or email. This technique employs social engineering to trick the user into initiating the call to the scammers. As a rule, the message looks automated, and so that the potential victim is less likely to message back and more likely to call the number provided.
- Use websites that display a fake warning (hoax) about malware detected on the victim’s device, providing a number to call to resolve the issue.
- Use real malware that, for example, automatically redirects incoming calls to a fake call center.
Typical vishing attack scenarios
Attackers deploy vishing in a variety of schemes. Below are some of the most common:
- Financial fraud. Scammers pose as employees of a bank, credit organization, tax office, or other financial institution. They call the potential victim to inform them of a problem with their account, such as an unauthorized transaction or unpaid taxes. The user is told that, to resolve the issue, they need to make a payment or provide online banking credentials and a one-time code.
- Technical support scam. Attackers posing as employees of a corporate technical support or IT service inform the user of an alleged issue with their computer or account. To fix it, the victim is asked to provide the callers with credentials and device access, or install a special program (commonly a remote access tool) to address the problem remotely.
- Easy money. Scammers inform the victim of a fictitious large win or incoming payment, under which pretext they trick them into handing over personal data and account or card details so they can receive the respective bank transfer.
- Calls from sales representatives. Posing as sales staff, attackers offer non-existent products or services at knockdown prices in an attempt to extract personal and banking information from the victim, purportedly for order placement or payment.
- Bogus requests for help. Scammers impersonating charity workers or police officers call the victim and request either bank details in order to donate to people in need, or personal information to assist in an investigation.