Voice phishing


Voice phishing, or vishing, is the use of telephony to conduct phishing attacks.
Landline telephone services have traditionally been trustworthy; terminated in physical locations known to the telephone company, and associated with a bill-payer. Now however, vishing fraudsters often use modern Voice over IP features such as caller ID spoofing and interactive voice response systems to impede detection by law enforcement agencies. Voice phishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.
Usually, voice phishing attacks are conducted using automated text-to-speech systems that direct a victim to call a number controlled by the attacker. However, some use live callers. Posing as an employee of a legitimate body such as the bank, police, telephone or internet provider, the fraudster attempts to obtain personal details and financial information regarding credit cards, bank accounts, as well as personal information of the victim. With the received information, the fraudster might be able to access and empty the account or commit identity fraud. Some fraudsters may also try to persuade the victim to transfer money to another bank account or withdraw cash to be given to them directly. Callers also often pose as law enforcement or as an Internal Revenue Service employee. Scammers often target immigrants and the elderly, who are coerced to wire hundreds to thousands of dollars in response to threats of arrest or deportation.
Bank account data is not the only sensitive information being targeted. Fraudsters sometimes also try to obtain security credentials from consumers who use Microsoft or Apple products by spoofing the caller ID of Microsoft or Apple Inc.
Audio deepfakes have been used to commit fraud, by fooling people into thinking they are receiving instructions from a trusted individual.

Terminology

  • Social engineering - The usage of psychological manipulation, as opposed to conventional hacking methods, to gain access to confidential information.
  • Caller ID spoofing - A method by which callers are able to modify their caller IDs so that the name or number displayed to the call recipient is different than that of the caller. Phishers will often modify their numbers so that they appear familiar or trustworthy to the call recipient. Common methods include spoofing a number in the call recipient's area code or spoofing a government number so that the call appears more trustworthy or familiar and the potential victim is more likely to answer the call.
  • Voice over Internet Protocol - Also known as IP telephony, VoIP is a technology that allows voice calls to be made over the internet. VoIP is frequently used in vishing attacks because it allows callers to spoof their caller ID. They can also reduce telephony cost by having VoIP servers in target countries instead of doing international calls, if doing international fraud.

    Motives

Common motives include financial reward, anonymity, and fame. Confidential banking information can be utilized to access the victims' assets. Individual credentials can be sold to individuals who would like to hide their identity to conduct certain activities, such as acquiring weapons. This anonymity is perilous and may be difficult to track by law enforcement. Another rationale is that phishers may seek fame among the cyber attack community.

Operation

Voice phishing comes in various forms. There are various methods and various operation structures for the different types of phishing. Usually, scammers will employ social engineering to convince victims of a role they are playing and to create a sense of urgency to leverage against the victims.
Voice phishing has unique attributes that separate the attack method from similar alternatives such as email phishing. With the increased reach of mobile phones, phishing allows for the targeting of individuals without working knowledge of email but who possess a phone, such as the elderly. The historical prevalence of call centers that ask for personal and confidential information additionally allows for easier extraction of sensitive information from victims due to the trust many users have while speaking to someone on the phone. Through voice communication, vishing attacks can be personable and therefore more impactful than similar alternatives such as email. The faster response time to an attack attempt due to the increased accessibility to a phone is another unique aspect, in comparison to an email where the victim may take longer time to respond. A phone number is difficult to block and scammers can often simply change phone numbers if a specific number is blocked and often find ways around rules and regulations. Phone companies and governments are constantly seeking new ways to curb false scam calls.

Initiation mechanisms

A voice phishing attack may be initiated through different delivery mechanisms.  A scammer may directly call a victim and pretend to be a trustworthy person by spoofing their caller ID, appearing on the phone as an official or someone nearby. Scammers may also deliver pre-recorded, threatening messages to victims' voicemail inboxes to coerce victims into taking action. Victims may also receive a text message which requests them to call a specified number and be charged for calling the specific number. Additionally, the victim may receive an email impersonating a bank; The victim then may be coerced into providing private information, such as a PIN, account number, or other authentication credentials in the phone call.

Common methods and scams

Voice phishing attackers will often employ social engineering to convince victims to give them money and/or access to personal data. Generally, scammers will attempt to create a sense of urgency and/or a fear of authority to use as a leverage against the victims.
  • Imposter scammers pose as an important person or agency relative to the victim and use the victim's relationship with the important person or agency to leverage and scam money.
  • * IRS scam: The scammer poses as an IRS official or immigration officer. The scammer then threatens deportation or arrest if the victim does not pay off their debts, even if the victim does not actually have any debt.
  • * Romance scam: The scammer poses as a potential love interest through dating apps or simply through phone calls to reconnect with the victim as a lover from the past who needs emergency money for some reason, such as for travel or to pay off debts. Social engineering is used to convince victims that the scammer is a love interest. In extreme cases, the scammer might meet up with the victim and take photos of sexual activities to use as leverage against the victim.
  • * Tech support scam: The scammer poses as a tech support and claims that there is an urgent virus, or a severe technical issue on the victim's computer. The scammer may then use the sense of urgency to obtain remote control of the victim's computer by having the victim download a special software to diagnose the supposed problem. Once the scammer gains remote control of the computer, they can access files or personal information stored on the computer or install malware. Another possibility is that the scammer may ask the victim for a payment to resolve the supposed technical issue.
  • Debt relief and credit repair scams
  • * Scammer poses as a company and claims an ability to relieve debt or repair credit. The scammer requests a company fee for the service. Usually, performing this action will actually reduce credit score.
  • Business and investment scams
  • * Scammers pose as financial experts to convince victims to offer money for investments.
  • Charity scams
  • * Scammers pose as charity members to convince the victim to donate to their cause. These fake organizations do not actually do any charity work and instead, any money donated goes directly to the scammers.
  • Auto warranty scams
  • * Scammers make fake calls regarding the victim's car warranty and offer the option to renew the warranty. The caller may have information about the victim's car, making their offer appear more legitimate. Callers may use auto warranty scams to gather personal information about their victims, or to collect money if victims decide to purchase the proposed warranty.
  • Parcel scams
  • * Targeting immigration populations, scammers claim that the victim has a parcel that needs to be picked up. The scammer initially poses as a courier company. The nonexistent parcel is connected to a financial criminal case. The scammer, posing as a delivery company, transfers the victim to another scammer posing as a police of a foreign country. The scammer posing as police will claim the victim is suspected and needs to be investigated in a fake money laundering investigation. This is done by convincing the victim that their identity was stolen. The scammer then convinces the victim to send money to the "police" to conduct an investigation on the money in their bank. Throughout the process the scammer may take extra steps to claim they are not scammers by reiterating that the police will not ask for personal credentials or bank account information.
  • Kidnapping scams
  • * Scammers will call and claim that they have kidnapped a close relative or loved one. This is done by either doing research beforehand or using social engineering tactics and assumptions to glean information of the relative off of the victim. For example, since elderly are more vulnerable to scams compared to the average population, the scammers can assume that the elderly probably have children or grandchildren. The scammer will threaten to harm the relative if the victim hangs up. In certain cases the scammer will even let victims talk to the "abducted relative'' but due to fear, confusion, and the effect of the phone on a person's voice, the victim may fail to notice that the fake abducted relative is not actually the relative.