Vishing: Voice-Based Phishing Attacks and Prevention Strategies

At their core, all social engineering tactics exploit psychological principles to manipulate individuals into taking certain actions or divulging confidential information. Vishing, or voice-based phishing, leverages the trust that people tend to instinctively place in real-time, human-to-human conversations. 

The rise in these attacks is alarming, with more scammers turning to voice-based tactics to exploit unsuspecting victims. As technology advances, voice-driven schemes get harder to detect. Employees at all organizational levels must stay informed and vigilant about the threat that vishing poses.

Read on to get a comprehensive understanding of vishing, including its meaning, tactics, and potential risks. You’ll also get actionable strategies that both your business and its users can deploy to prevent successful attacks. 

What is Vishing?

Vishing is a social engineering method in which malicious actors use phone calls to pose as a legitimate entity, such as a bank, tech support, or even someone from within the upper hierarchy of a company. These fraudulent calls use a range of emotionally manipulative techniques, such as creating fear and urgency, using charm, or exploiting trust. Ultimately, this voice-based psychological manipulation can deceive people into disclosing sensitive information. 

Recognizing Vishing Attacks

While traditional phishing predominantly uses deceptive emails to lure victims, voice-based phishing adds a more personal touch by using phone calls as the lure. Here are some real-world vishing scenarios commonly encountered in both a business and personal setting:

• Caller impersonation: Scammers call someone and pretend they’re from a trusted institution, like that person’s bank, IT support, or the IRS. Using carefully crafted scripts, they’ll make their plea sound genuine. Often this scenario takes the form of a  the call to authority in which the scammer presents themselves as a figure of authority or expert in a specific domain, such as technical or IT support to more easily manipulate the victim by exploiting their lack of knowledge in this domain to gain their trust.

• Urgent requests: An attacker might claim there’s an emergency, like suspicious activity or an unpaid company invoice. This creates a sense of urgency to push victims into sharing information or transferring funds without proper scrutiny.
• False sense of trust: Sometimes, attackers use prior knowledge (possibly from other data breaches) to make their calls seem legitimate. They might already have some of a person’s details, which they can use to gain the trust of people who might otherwise be hesitant to disclose information.

Vishing vs Phishing

At first glance, it might seem that vishing and phishing are only slightly different types of social engineering. While the primary distinction lies in their interaction medium: voice versus text, the differences in vishing vs. phishing go beyond the surface level of voice or text. 

While phishing attacks play on visual cues like official logos in emails to deceive users, voice-based phishing utilizes the nuances of human voices. The tone, inflection, and emotion conveyed in a voice instill trust, urgency, or fear to make this tactic potentially more emotionally manipulative than its text-based counterpart. The spoken word has an immediacy that written communication often lacks, which makes voice-based scams a potent tool in the modern hacker’s arsenal.

Recent Examples of Vishing Attacks

To further understand the threat, it’s worth highlighting some recent real-world vishing examples. 

Morgan Stanley Wealth Management

InFebruary 2022, a number of wealth management clients at Morgan Stanley Wealth Management had their accounts breached in a vishing campaign. These attacks were of the caller impersonation type, where hackers managed to impersonate Morgan Stanley employees and dupe clients into disclosing login credentials. The hackers then used compromised accounts to execute unauthorized fund transfers to their own accounts via the Zelle payment transfer service. 

Twilio

Popular customer engagement platform Twilio suffered a series of breaches in 2022, one of which involved a vishing attack on a Twilio employee. Threat actors used phone calls to trick an employee into disclosing their credentials in what was likely a scam impersonating the company’s IT helpdesk. After compromising the employee’s account, the adversaries then managed to access data belonging to a number of Twilio customers.  

Use Cases and Statistics

Beyond the examples of recent real-world vishing incidents, delving into some use cases and statistics helps to further contextualize the threat of this type of social engineering attack.

Corporate Espionage

Vishing is not solely a threat to individual consumers—businesses, with their vast repositories of data and financial assets, are equally, if not more, appealing to attackers. 

Attackers might use pretexting – a technique where they create fabricated scenarios to extract information. With bits of insider information (often gleaned from a previous data breach or social media), they might pose as an IT consultant or a vendor using a plausible pretext to ask for sensitive data. 

The corporate world’s complex interdependencies and valuable data, coupled with the trust employees place in their colleagues and superiors, makes businesses particularly vulnerable to these social engineering tactics. Attackers are well aware that humans are often the weakest link in the security chain. 

Financial Fraud

A major motive behind vishing attacks is to commit financial fraud. Often this fraud entails convincing people to disclose credit card information. A shocking statistic found that Americans lost out on $29.8 billion to scam calls in 2021. In a business environment, financial fraud via voice-based phishing involves convincing an authorized employee to make an unauthorized transfer of funds, usually by preying on client-vendor or business partner relationships. 

Most financial fraud involves malicious actors posing as representatives from legitimate entities like banks, credit card companies, or even tax agencies. The scammer initiates calls to unsuspecting individuals. 

Using a blend of social engineering tactics, they might alert the target about suspicious activity on their card, highlight an enticing low-interest loan offer, or claim they’re due a refund. To “resolve” the issue, avail of the offer, or process the supposed refund, the caller requests the target’s credit card details, including the CVV and expiry date.  

Identity Theft

The ability to masquerade as trustworthy entities, such as banks, government agencies, or service providers fosters a sense of legitimacy and urgency. Using well-crafted scripts and the persuasive ability of human voices, adversaries come up with plausible issues that seem to require fixing. In their attempt to “resolve” fabricated issues, the scammer requests sensitive information like Social Security numbers, birthdates, addresses, and even details of family members.

Once in possession of this information, hackers have a treasure trove that enables them to impersonate their victims. They can open new bank accounts, apply for loans or credit cards, make unauthorized transactions, or even commit more elaborate frauds, such as medical identity theft or employment-related fraud. Aite Group projects that losses from all identity theft will increase to $635.4 billion in 2023.

Vishing Prevention Strategies

Now that you have a solid understanding of the threat of vishing, what are some good ways to prevent it?

• Educating Individuals

The first line of defense is knowledge. Familiarity with common tactics and knowing what signs to look out for, such as unsolicited requests for personal details or pressure to act quickly, better equips employees to detect scams. This education can come from online sources or even flyers dotted around the office as reminders. 

Advise employees to take a skeptical attitude towards unsolicited phone calls. It’s inadvisable to provide any information or take any action over the phone without extra verification. Tips like listening for generic greetings, poor call quality, or even checking the authenticity of the Caller ID are helpful. 

• Implementing Multi-Factor Authentication (MFA)

MFA requires users to provide two or more distinct categories of verification before accessing an account. Enabling MFA significantly reduces the damage potential of voice phishing attempts. Even if attackers get hold of an employee’s login details from a believable phone call, they won’t easily gain unauthorized access to that person’s account without having another piece of evidence to verify their identity.

• Call Screening and Blocking

Modern smartphones offer a plethora of apps designed to identify and block suspicious or unwanted calls. These apps often maintain databases of reported scam numbers and can preemptively warn users or block such calls. Encourage employees to use reputable call screening apps and you can weed out many vishing calls. 

• Contacting Legitimate Sources

If there’s any doubt about a call’s legitimacy, hanging up and contacting the purported organization or person directly using official channels is the most prudent approach. Official websites are usually the best sources to find the real phone number and ensure you’re in contact with legitimate sources. 

• Regular Security Training

In a corporate setting, regular training sessions can be invaluable. By simulating vishing attempts and teaching employees to recognize and report them, you can build a stronger human firewall that’s aware, vigilant, and resilient against voice phishing tactics.

Combating Vishing Through Technology

The prevention strategies outlined above go a long way towards reducing risks, but it’s important to underscore the various types of technological solutions that also address this threat. 

Voice recognition technology 

Voice recognition technology identifies and distinguishes between different voice patterns. This type of technology works by converting spoken language into text and analyzing the distinct acoustic features of an individual’s speech (e.g. cadence, speed, pitch).  

pAdvanced forms of this technology use voice biometrics to validate the identity of callers. By creating a voiceprint, similar to a fingerprint, of known legitimate callers (like bank representatives, finance department personnel, and senior executives), systems can instantly verify if an incoming call is from a trusted source or a potential scammer. This voiceprint uses mathematics to digitally capture the unique acoustic characteristics that make up a person’s voice. 

One concern however with using voice recognition technology as a vishing countermeasure is the ongoing advancements in deep fake technology. A recent report highlighted how deep fake software fools voice-based authentication with 99 percent success. Other types of biometrics are more reliable for authentication purposes.

AI-based algorithms

Traditional methods of fraudulent call detection often rely on static data, such as blacklisted numbers. AI, on the other hand, brings dynamic analysis into the mix. Machine learning models can be trained to identify suspicious patterns in call metadata, speech nuances, or even background noise inconsistencies.

Furthermore, the use of natural language processing (NLP) allows AI systems to analyze the content of conversations for common vishing scripts or persuasive tactics. Over time, as these systems encounter more voice phishing attempts by hackers, they continually learn and refine their detection capabilities.

Continuous improvement makes AI-based algorithms increasingly adept. However, in the arms race between AI detecting tools and the technology that powers deepfakes, it’s likely that the AI emulating technology will maintain an edge. Enormous improvements in short timespans keep surprising experts when it comes to deepfakes and other generative AI technologies, which makes detection an uphill battle.  

Conclusion

Vishing attacks provide a stark reminder that modern threat actors have many effective ways to exploit trust. By targeting the more personal realm of voice communication, voice-based scams regularly lead to stolen credit cards, unauthorized business fund transfers, identity theft, and access to sensitive company information.

Vigilance is the watchword for both companies and individuals to mitigate these costly attacks. Proactive prevention measures are a necessity, and every step from education to the most advanced technological defenses is helpful. But it is worth noting that education is more valuable and less costly than relying on advanced tools with an ROI of 69 percent for small companies and 562 percent for large organizations.  

In a business context, many vishing scams target login credentials for user accounts that hackers can then pivot from to achieve their goals. While MFA is the recommended countermeasure, you can take authentication to the next level by eliminating any reliance on passwords. 

At Kelvin Zero, we are building next-gen authentication and trust solutions to do exactly that. With our flagship solution, Multi-Pass, we are replacing passwords with enterprise-grade, phishing resistant passwordless MFA so you can stay one step ahead. 

Book a demo today to learn more about Multi-Pass and how Kelvin Zero can help your organization integrate trust throughout all of its operations.