Sophisticated Vishing (Voice Phishing) On the Rise

In a vishing attack, threat actors or “vishers” use fraudulent phone numbers, voice altering software, and other social engineering tactics to entice people to divulge personal and sensitive information over the phone. Advanced vishing attacks exploit Voice over Internet Protocol (VoIP) technology to create fake phone numbers and spoof the caller ID so that the call appears to be from legitimate companies or institutions. VoIP makes it easy for vishers to automate hundreds of scam calls over the internet and these numbers are hard to trace.  Let's break down the process of how the attacks work:

1) Data Collection

Threat actors (a person or automated system) will use various techniques to collect phone numbers for broad, indiscriminate, attacks.  They will also research and collect information for a targeted attack towards individuals and businesses.  There are several ways they collect this information:

1. Dumpster Diving - threat actors will search through the trash of businesses, banks and other organizations to get phone numbers
2. War Dialing - threat actors will attempt to call every number in an area code to find active numbers.  This is usually done through an automatic dialer
3. Internet Search - threat actors will search for publicly available information on social media platform and other media platforms (YouTube, TikTok) for information and voice samples of a high value target (example, a company CEO)
4. Data Breach - information can be obtained from large lists of personal information stolen by other threat actors from a data breach

2) Voice Manipulation

Threat actors may employ machine learning (a subset of Artificial Intelligence) technology, to create a simulation of a person's voice.  This technique, called voice cloning, is used to add realism to the attack by disguising the voice and impersonating someone the victim knows.

3) Fraudulent Calls

Threat actors can spoof/fake their caller ID and will call from as many numbers as possible to leave a prepared voicemail message to ask the victim to call.  In more advanced attacks, threat actors may use voice synthesis software to hide their identity or control the cloned voice of a high value target during the call.

Examples of Vishing Scams

Credential Theft

Threat actors will use this method to attempt to get the victim to give away banking and credit card information.  They will then use the information to login to accounts to access funds, make unauthorized purchases or, in combination with other social engineering attacks, perform identity theft to take out loans

Government Impersonation

Attackers will attempt to pose as a civil servant, usually from departments dealing taxes and finance.  They will use threatening language and scare tactics to get the victim to give up personal details or send money. An example of a scare tactic can be the threat of legal action for "unpaid" taxes.  Attackers will also impersonate law enforcement to try and get the victim to give up personal details to use in identity fraud.

Corporate Extortion

Attackers will pose as a high level executive (CEO, COO, CFO) and will try to convince victims to comply with requests.  These requests are usually related to releasing funds, authorizing approvals for access to sensitive information, or even asking victims to buy gift cards for a co-workers birthday.

Telemarketing Scams

Threat actors will attempt to pose as a legitimate business to try and get you to purchase goods or services that are never provided.  They will also claim that you won a prize and will ask for a "claim fee" or ask you to provide personal information to send you the "prize", but will instead use that information for fraud or to facilitate other attack types.

Technical Support Scams

Attackers will pose as a support representative from a well know company, claiming there are issues with your computer or devices.  They will try to get the victim to release personal information to verify your identity.  They will also often try to ask permission to remotely access your computer to troubleshoot or install software.  While doing so they will use malicious software to have your system appear to be infected to get you to pay for support or even just install viruses and key-loggers to get information and credentials.

How to spot scams and protect yourself

• Be suspicious of callers that want sensitive information. Do not give personal information like your username, password, or banking information over the phone, unless you are certain it is a legitimate institution. Ask the institution for a contact name and reach the organization via an official channel (their publicly listed phone number or website).
• Be wary of calls from unknown numbers or automated calls. Let the call go to voicemail if you do not recognize the number. Avoid using your phone's callback function or phone numbers provided by the caller. Communicate with the site or service through a trusted contact method.
• Beware of scare tactics. Vishers try to catch you off guard and make you feel you have no other options but to provide the requested information. Some may use threatening language to get you to act quickly. For example, they may say you must provide your information to avoid having your account from being deactivated.
• Be on guard for calls with poor audio quality or with a robotic tone or an unnatural rhythm to their speech. Hang up and let the call go to voicemail if they call back.
• Be proactive and train your staff on vishing attacks and how to respond appropriately. Create a process for your staff to report incidents easily and quickly. Consider including a formalized authentication process for employee-to-employee communications made over the phone where authentication is required before sensitive information is discussed.
• Be informed that most-smartphones have built-in spam protection features that can filter, block, or report spam calls. Check your smartphone manual on how to enable these features.

What to do if you think you have been the victim of a vishing scam

Take the following actions if you have been a victim of a vishing scam.

• Notify all your financial institutions related to the compromised accounts. Ask if the fraudulent transactions can be cancelled and block future charges.
• Change your passwords immediately for all affected accounts as well as other accounts that used the same compromised passwords.
• Monitor your financial accounts. Consider signing up with a credit monitoring service to alert you of potential fraudulent activity, especially if you have concerns that you've been a victim of identity theft.
• Report the scam to the Canadian Anti-Fraud Centre (CAFC). Document the phone number of the scammer as well as any websites you were asked to visit and provide this info to the CAFC.
• Report the incident to your organization’s IT administrator if you think you might have revealed sensitive corporate information. Follow your organization's protocol for reporting cyber incidents.