In this article, we'll cover:
What is vishing?
Vishing is a modern fraud tactic that utilises and manipulates voice over IP telephony. Otherwise known as voice or VoIP phishing (or voice phishing), has become more common in recent years, sees unofficial, unauthorised entities targeting individuals and businesses over the phone to uncover sensitive personal or financial information.
Commonly conducted via voice email, business phone systems, VoIP calls, landline phones or mobile phone, vishing attacks often come in the form of speech synthesised messages but can also take the form of a seemingly authentic conversation. Most often, the vishing attacker will imitate a legitimate, reputable organisation, implying to the recipient that some form of suspicious activity has taken place relating to their bank account or other financial service accounts.
Like with other types of phishing scams (any fraudulent, proactive attempt to obtain sensitive information or data), VoIP phishing relies upon social norms to gain the victims’ unwarranted trust and generate success. Many scams take place from other countries, and voice-to-text synthesisers and recorded messages allow fraudsters to disguise their identity.
Most scams have the aim of victims giving up PINs, security codes and passwords, with the ultimate goal of committing identity theft or stealing money directly from a financial account.
Many scams use a technique known as ‘caller ID spoofing. This enables them to connect calls from what appears to be a genuine or local number. This means the recipient trusts the source and feels compelled to answer the call. Likewise, the scammers also have the ability to leave a pre-prepared voicemail message, encouraging victims to call a dedicated number should the original call go unanswered. In many cases of pre-recorded scams, the victim is told to call a seemingly legitimate phone number to ‘confirm’ their details or verify their identity. In many cases, somewhat ironically, the victim is urged to take action under the guise of preventing or blocking fraudulent activity.
Unfortunately, the relative novelty and subsequent lack of awareness of vishing is a fraudulent technique has means many victims have fallen foul of successful attacks in recent years. Vishing is a common cybercrime that has become particularly prevalent in recent months because of the circumstances of the Covid-19 pandemic.
What’s more, authorities have difficulty tracking these fraudsters, particularly when scams are conducted using less traceable and easily accessible VoIP technology that is readily available to them in the digital age. Even if the scammers are traced, campaigns conducted overseas may render authorities powerless in terms of sovereign law enforcement.
According to Action Fraud, the national centre for fraud and cybercrime. 70,000 suspicious calls were reported in the UK alone in the year to April 2019. No doubt, in 2020, that number would have increased exponentially as hackers and cybercriminals took advantage of the widespread home-working landscape. Likewise, in the US, in 2018, vishing crimes cost victims $48 million, according to the FBI’s Internet Crime Complaint Center.
Common vishing scams
Bank or financial institution fraud
Of the many vishing scams that occur annually, bank fraud vishing attempts are likely to be the most common. Bank fraud attempts see scammers call victims, often using a bespoke number with a familiar or local area code or even a registered business you’d recognise. Believing the legitimacy of the call, the victim answers and is (most commonly) played a pre-recorded robotic message advising that their bank account has been compromised in some way.
It’s likely the message will include a number for you to call to secure your bank account. The message will also encourage urgency, with messaging such as, ‘call now to secure these compromised funds’ or risk losing your money, or some other consequence, meaning many have fallen victim to these common fraud campaigns.
Scammers often choose well established, widely recognised institutions or government agencies such as HMRC or Royal Mail in the UK. In some cases, scammers manipulate social circumstances to exploit the vulnerable. For example, as a result of mass home working, a sophisticated scam circulated during the initial nationwide lockdown imitating computer tech support triggered after a contrived fault or problem with a consumer’s laptop or PC. Another recent, sophisticated phishing scandal saw cybercriminals contacting the elderly regarding their Coronavirus vaccination, imitating the UK national health service to con victims into giving away their personal data.
Common scams will imitate banks and financial institutions. Still, cybercriminals can choose to imitate any organisation, particularly manipulating trusted and reputable brands or organisations to further dupe unsuspecting public members.
How VoIP makes phishing easier
Vishing attacks continue to be an issue for society as criminals can easily go undetected. It is easy for these scammers to cover their tracks. VoIP technology plays a key role in these covert scam operations.
Using fake numbers, data thieves can utilise advanced voice features and functions to contact members of the public, emulating an employee or bank representative from a reputable organisation, gaining the unwarranted trust of their victim purely by tampering with phone numbers and caller IDs. Easy manipulation of caller IDs means callers can pretend to be an HSBC agent, PayPal representative, or a helpful, friendly Microsoft support engineer without being suspected as a spoof.
VoIP systems are notably easy to use and easy to configure. That means it is relatively easy for scammers to make calls and send smishing text messages using these voices over IP systems. Often manipulating local numbers, attackers can also abandon a certain phone number at any time, meaning their scam project becomes even more difficult to trace. Easy access to new numbers means these scam operations can start from scratch repeatedly and use for various new phone scams.
These cybercriminals resort to VoIP because the hardware required, such as IP phones, routers, and IP PBXs, are relatively accessible and inexpensive. The modern, easy to obtain technology and software enables hackers to connect voice manipulation software, protect their callers’ identities, and record phone calls to easily extract, review and utilise victims sensitive banking information such as your credit card number or bank details.
How to spot a vishing scam
Vishing can affect any member of the public. That means your business employees and your customers and clients could be targeted. It’s important to generate awareness and educate your workforce about common potential vishing scams, particularly as a rise in remote working makes us all a little more vulnerable to these fraudsters than ever before.
Learning how to spot vishing calls is crucial. Here are a few tips on how you and your employees might spot the signs and raise the red flag before it’s too late.
1. Be wary of unsolicited phone calls
While it’s tempting to pick up the phone, especially if the caller ID claims it’s your bank or another organisation you know, it’s important to practice vigilance when it comes to unexpected phone calls. Many organisations won’t actively call customers or only do so on infrequent occasions. HMRC, for example, don’t proactively make contact over the phone, so if someone calls or you get a recorded message regarding ‘tax fraud’, you’ll know how to handle it.
2. Be aware of fear-mongering
If a caller tries to elicit a sense of urgency and fear, it means your most likely dealing with a scammer. Legitimate professional agents wouldn’t do this, as they’re trained to stay calm and pragmatic even in real-life fraud-prevention situations. On the other hand, scammers are tricksy and will deliberately tap into your natural fears to provoke urgency. These fraudsters know that when we are fearful, we make irrational decisions. Remaining calm is key. End the call and look up the legitimate phone number for the organisation to report the call.
3. Protect your personal information
Even if a legitimate organisation actively makes calls to their customers, they won’t ask for personal or financial details. As with fear-mongering, any attempt to glean personal information from you should raise a red flag. Remain vigilant and cynical when it comes to any unsolicited calls. If a caller asks you for any information, whether it’s your NI number, a PIN or even just your date of birth, it’s best to hang up and then contact the organisation they claimed they were calling from directly.
RELATED READING: How to Setup a VoIP Server at Home & In Your Office
How to Prevent Vishing Attacks on Your Business
In recent months, vishing attacks have risen because of the increasing number of home workers and a high success rate in gathering the sensitive information attackers need. It’s important to remember; this isn’t just a threat to the consumer.
When it comes to vishing attacks, it is not just members of the public that are vulnerable. Attackers also target businesses (via your employees) to glean sensitive data and information. Much like other social engineering schemes, a vishing attackers aim is to gain access to your corporate data, the networks, or any other information that could be used fraudulently.
With remote working set to endure even as we wend our way out of the pandemic, employees must become trusted gatekeepers for your company intellectual property and data as well as their own. Not only could your employees have business information stored within their personal devices, but they also have access to internal resources from afar.
Businesses need to protect themselves and their employees from VoIP-based scammers by setting clear regulations and policies regarding information sharing, data protection and security processes. If you’re worried your business security isn’t up to scratch, now is the time to mitigate security issues and implement processes to protect your customers and staff from the increasing number of cybercrimes taking place. Making your employees aware and educating the workforce on the increasing risk of these cyber breaches should be the first step in protecting your business.
Preventing vishing attacks will be much easier with a workforce engaged with the cause, so laying the foundations of awareness first is key. It’s important to let workers know that learning about cybercrime helps them stay protected at work and when they work remotely and in their personal lives.
Here are a few things you and your employees should be aware of to help protect your business, and your individual team members, against VoIP-based cybercrime.
- Be sensible with social media.
Employees need to be aware that their social profile can reveal a lot of public information. Many scam campaigns look to replicate your business logo and branding, so listing your workplace with official logos on public profiles can put the employee and your workplace at risk. Likewise, social media posts about work projects, as well as the ‘about me’ section of your social profile, could reveal more about your business than you might imagine. It can be shocking how much a little research via a search engine could reveal, so it might be worth advising that social profiles are kept private, especially if your employees choose to use social media to post about their work-life as well as their leisure time.
- Protecting your passwords.
Encouraging employees to make better choices when it comes to passwords is crucial. Reuse of passwords can put employees and the businesses they work for at a higher risk of data breach attacks. Advocating the regular renewal of passwords or the use of free password management tools such as LastPass could make your credentials much harder to hack. It could help protect your employees and your business information.
- Be suspicious of unsolicited phone calls.
Advocating alertness and vigilance when it comes to unexpected phone calls is really important, especially as home working means more phone calls will be answered during or outside working hours. Educate your team members on the points we outlined above to spot a vishing scam and raise the red flag.
It’s fair to say; vishing attacks are unlikely to decrease as the pandemic reaches an endpoint. Many businesses choose to continue to allow home working and remote working, which means you must choose the tools you use wisely, partnering with suppliers that support and uphold your privacy. Your staff must remain aware and stay vigilant to mitigate these threats.
Originally published Apr 06, 2021, updated Apr 10, 2023