Vishing: How to identify voice phishing and fend off attackers

The term “vishing” is composed of the words “voice” and “phishing”, which is why this modern scamming method is also frequently called voice phishing. Attackers exploit IP technology when vishing in order to carry out a number of inexpensive or free scam calls, and in doing so steal data, passwords, or bank information from unsuspecting victims.

Read on to find out all about “visher” strategies and how you can protect yourself against fraudulent VoIP calls.

With a combination of technical and emotional manipulation, vishers try to get their hands on their victim’s important data. In technical terms, vishing means that a scammer manipulates VoIP technology (Voice over IP) to disguise their own identity and telephone number. The scammer is, therefore, hiding the fact that they are calling from a telephone number that does not belong to them or is not associated with their IP address. Voice phishing is attractive for perpetrators, as the costs for VoIP calls are very low. A visher can, therefore, make many thousands of calls using an active internet connection, and, if successful, gather a large volume of data.

In addition to voice phishing’s technical components, there is also an emotional component. Attackers invent a story that is plausible for the victim and make it appear necessary to act immediately and share sensitive data. These attacks also include social engineering – in other words, calculated, interpersonal influence that is used to gain access to confidential information. Vishers deliberately exploit typical patterns of human behavior through psychological tricks in order to get the victim to disclose sensitive information. Although many different and perfidious vishing scams exist, there is a model that is common to all voice phishing attacks:

1. The attacker phones and describes a problem that consumers have not previously heard about.
2. In order to remedy the problem, the visher demands personal data such as login credentials for an account, account data, or credit card data.
3. The attacker invokes the urgency of the situation and wants to prompt immediate and quick action.

In practice, scammers repeatedly use the same stories in order to get to their victim’s data. Below you will find an overview of the most common scams in order to be able to instinctively distinguish fraudulent calls from legitimate calls.

A popular starting point for scammers when voice phishing is to impersonate a support representative at a large software company. In this scenario, the attacker pretends that they have detected a software problem and have to help you sort it out. For this purpose, they will ask you to download a program that gives the visher full remote access to your computer. Once the devious program is installed, the attacker can plant malware on your computer and steal personal data.

Another example of vishing is when the caller informs you that you have won a prize in a contest. In order to receive the prize, however, you first have to pay for the shipping costs. To do this, you need to send your bank details, along with consent for the electronic direct debit. The scammers then either regularly debit money under the pretext that you agreed to a subscription, or they sell the data on to another scammer.

Voice phishing very often targets your bank or credit card account, which is why many criminals impersonate bank employees. In this scenario, the data theft mostly proceeds without any direct personal contact. The visher leaves a message on your answering machine that informs you that your bank account is in danger due to a hacking or technical error.

When you call back, you will hear a recorded message that requests the access data to your online banking or credit card. The attacker hopes that you will listen to the message and start to panic. Ultimately, there is nothing more sensitive than your financial data.

In order to identify and successfully fend off vishing, vigilance and a healthy mistrust toward authority are required. Generally, you should keep the following clues in mind when on the phone with a supposed company employee:

Tip 1: Always try to think about whether the attacker’s number is an official number for the company that the alleged attacker represents. And even if you find the number on the company website, this is no guarantee that the call is legitimate. Simulating a telephone number is an important component of vishing. Checking the number can only provide a first indication of a crime and fend off crude attacks that are very poorly prepared.

Tip 2: If you have any doubts, you should end the conversation and get in touch with the company’s customer service department yourself. Ask if the number is known to them and if the procedure is standard. In doing so, use only the telephone number that is specified on the company’s own website. Do not call any numbers that you found in an email from the company (allegedly). These types of emails can be part of a (voice) phishing attack.

Tip 3: Never divulge any log-in credentials or bank details over the phone. No trustworthy company will ever ask for your account log-in credentials over the phone. If a caller asks you to state your account info or personal data, refuse immediately and report the interaction to the company concerned.

Tip 4: If you suspect that you have been a victim of voice phishing, report the incident to the police and file a complaint. Furthermore, you should report the incident to the company that the scammer claimed to work for. If you think your bank details could be compromised, talk to your bank and have the account temporarily blocked. Log-in data for accounts can often be blocked online on the website. If you use the same password for different accounts (which is not recommended in any situation), it is imperative that you change the password everywhere.

With the vishing definition formulated at the start, vishing can be differentiated from other methods of digital data theft.

While with voice phishing, the gateway for criminals is IP telephony, they use emails for phishing in order to bait unsuspecting users into volunteering their personal data. To do this, the devious electronic messages are edited to look as authentic as possible and include a link to a harmful website. A special form of phishing is spear phishing, where scammers zero in on one or several very specific victims. Spear phishers do not cast a large net of fraud, but attack victims with focus and purpose.

Smishing basically works in a very similar way but uses SMS for data theft.

Vishing, phishing, and smishing differ from each other in the way that the con artist makes contact and communicates with the victims. In all versions, the objective remains the same: to steal personal data such as bank details, credit card numbers, or log-in data in order to enrich themselves financially.