Home

 › 

Articles

 › 

What Is Vishing and Why Is It Dangerous?

Vishing call warning and alert on smart phone concept. Be careful against vishing attack by imposter and don’t give away passwords and another sensitive data. Smart phone cybersecurity concept.

Tagged

What Is Vishing and Why Is It Dangerous?

Published: by Liam Frady | Leave a comment

Have you ever heard of vishing? There is no shortage of attacks meant to compromise your data in 2023. Vishing is just one of many social engineering attacks that have emerged as a result of the reach and scope of modern technology. It is different from other attacks in that there is a very different and real human connection in some regard.

Thankfully, with a little foresight and knowledge, as you’ll discover, you can avoid and prevent these attacks. Your data is highly valuable, despite what you might think. With precious commodities like your banking and other financial data at risk, it pays to be aware of the sort of threat vishing poses to you.

What Is Vishing?

Vishing (voice phishing) concept, a smartphone on a table next to computer keyboard and sunglasses show an unknown caller call with vishing alert and a reminder to not share personal bank data
There is no rhyme or reason to when a vishing call can take place. They are, sadly, a common occurrence.

©Cristian Storto/Shutterstock.com

Vishing is short for voice phishing. For readers who might be unaware, phishing is a social engineering attack that relies on emails or other messages to obtain key information or compromise a computer. Voice phishing is similar in scope, but relies on fraudulent calls meant to extract information or sensitive details that only you would know.

Vishing as a whole is extremely common, with the FCC reporting over four billion robocalls per month in 2020. As such, it helps to be vigilant. As we noted, vishing is a social engineering attack, which differs from other cybercrime. While hackers might rely on things like SQL injections and compromised web portals for computers, social engineering is a whole different ballpark that requires knowledge to avoid.

How Does Social Engineering Work?

Social engineering is a methodology of attacks that relies upon social expectations and norms. Usually with vishing, there is a degree of supposed authority placed on the perpetrator. They might be posing as an official from a bank, law enforcement, or some other organization where there is a threat of real repercussions.

Authoritative social engineering attacks rely on fear and anxiety, hoping the victim is seeking to avoid punishment. In some ways, it is similar to ransomware, as an attacker is seeking financial gain through the course of an attack. Other social engineering attacks include tailgating, piggybacking, mishing, and phishing.

Additional Risks Associated with Vishing

Voice phishing attacks have grown more sophisticated with the advent of technology. While fraudulent phone calls are certainly nothing new, they haven’t really grown to this scope until the last decade or so. Here are a few common risks you need to be aware of when approaching an unknown call.

Deepfakes

The news has been rife with stories surrounding AI and its impact on the general population. Deepfakes are a worryingly common occurrence with voice phishing attacks. What these essentially entail is an AI program meant to mimic the tone, cadence, and speech patterns of a normal person.

Now, this might not be a surefire method of attack, especially if you’re out of the loop with certain individuals. That said, it still poses an inherent risk because you could be unaware that an attack is taking place if you are familiar with the individual being deepfaked.

That said, there are certain tells with AI-generated voice messages. You can often hear slight oddities in pronunciation, and unusual emphasis on certain syllables.

Robocalls

Who doesn’t receive robocalls these days? While most users will avoid these on pure instinct, they still do pose an inherent risk. Consider the fact that most banking institutions, services, and other utilities rely on computer-generated voice assistants. There is a degree of plausibility to receiving a message with sensitive details.

However, one thing to keep in mind is that most banks, utilities, and other businesses aren’t going to request sensitive information given directly to the voice assistant. While most companies are out for profit, it would be a legal nightmare to request sensitive information through a voicemail. You can often find spam filters for your smartphone to help avoid robocalls.

Real People

Real people are arguably the most dangerous of voice phishing methods to receive. There is something decidedly different about talking to a real human being over an AI voice. As such, this one can easily suck in people who are unaware that they’re being swindled.

Again, this is an attack method that requires foresight and knowledge. Be aware that law enforcement, banks, and so forth aren’t going to get highly aggressive over the phone and make demands. With companies, there are policies and regulatory bodies that require compliance.

Law enforcement is more inclined to schedule a meeting or arrange to meet you in person, rather than threaten to arrest you over the phone. Real people can also instigate things, making it seem like they’re taking care of a relative or loved one who is under duress. This can be harder to confirm, especially if they have the name of the person in question.

There is nothing wrong with hanging up the phone and contacting your relative or loved one, to at least verify their safety. After all, a loved one in need isn’t likely to request Bitcoin or PayPal gift cards over the phone.

Common Vishing Scams

Man declining incoming call from unknown caller in park, closeup. Be careful - fraud
The simplest way to avoid a vishing attack is to not answer the phone.

©New Africa/Shutterstock.com

Here are a few common methods of getting personal information through a vishing attack.

Demanding Payment

This might be the most common overall approach to trying to steal personal data. A scammer calls under the pretense of operating under a bank, utility, or any other business that might require payment for a service rendered.

Personally speaking, you typically aren’t going to handle payments on the phone. Most companies will forward you to a web portal or send a message through a secure web portal for you to complete your payment. Taking payments over the phone with no safeguards is a violation of PCI/DSS compliance, which carries jail time and heavy fees for any company engaging in such a practice.

Tech Support

Another common method of attack is posing as tech support for something. You’ll often hear these associated with Microsoft, Samsung, or any other common tech giant. The basic idea is that someone is calling to help you work through a malware infection, ransomware, or some other digital malady.

Most tech giants aren’t going to call customers to work through a problem. Even in enterprise environments with support contracts in place, it isn’t a common practice. Further, most users can handle their cybersecurity at home with a little basic knowledge. This is a method that preys more on the elderly, supposing there is an implied level of tech illiteracy.

Enrollment

Enrollment refers to offering a sort of incentive or benefit to a potential victim. As with tech support, this is another avenue of attack that preys on the elderly. Common scams are offering enrollment into the likes of Social Security, Medicare, Medicaid, and other benefit programs.

One thing to keep in mind is that a person has to initiate contact with the enrolling in any government program. It isn’t an automatic thing where a representative seeks you out.

Methods of Prevention for Vishing

So, how do you prevent vishing? There are a few different approaches.

Avoid Answering Calls

The simplest and most effective method of avoiding vishing is to just not answer calls. If you don’t recognize the number, avoid answering it. This allows you to gauge who is calling, especially if they leave voicemails or other attempts at contact.

Avoid Giving Personal Information Out

This might be a given, but you don’t give out personal information on the phone. Especially if the person on the phone has done nothing to identify themselves beyond some basic facts that anyone could fake. Generally, a company isn’t going to require your account number or other very sensitive information to look you up.

Don’t Trust Caller ID Numbers

It is extremely simple to spoof a phone number. There are quite a few ways to approach this, and vishing attackers know it. As such, don’t trust familiar-looking numbers. In some instances, potential victims have been called by their numbers.

Be Aware of Company Policies

It helps to be aware of what each company is doing, and how they approach handling your sensitive data. You’ll typically find policies in periodic emails or you can even call your bank, utility company, and so on to find out what they can and can’t do on the phone.

Is Vishing Dangerous in Modern Computing?

Vishing is highly dangerous, that is a given. Social engineering attacks don’t have safeguards like firewalls and whitelists to prevent them from happening. As such, stay vigilant when it comes to answering your phone calls.

The image featured at the top of this post is ©Jirsak/Shutterstock.com.

Frequently Asked Questions

Can a firewall prevent a vishing attack?

No, vishing requires a phone call. Preventing network intrusions won’t do much.

Who are the most vulnerable to vishing?

Anyone can be vulnerable to vishing.

Is vishing illegal?

Vishing is highly illegal, and companies found running robocalls have faced extensive fines and jail time.

What's the best way to prevent vishing?

The best way to prevent vishing is to ignore most phone calls and only initiate contact with companies on your own.

Is vishing a form of cybercrime?

Yes, vishing is absolutely a form of cybercrime.

To top