The power of vishing: Why it's effective and how to avoid falling victim

An abstract image of digital security.
(Image credit: Shutterstock) (Image credit: Shutterstock)

Thanks to the efforts of employers and banks, most of us are familiar with the term phishing. We know if something sounds too good to be true, it probably is – and we’ve sat through training and received the warning emails from our employers, banks and other organizations we interact with on a regular basis to be aware of cyber scam attempts, and read through emails and messages with a critical eye.

Cybercriminals, however, never rest – and as long as there is someone out there who can potentially fall victim, they will keep up their efforts. Vishing – which aims to achieve the same objectives as phishing – uses voice-altering software, phone calls and social engineering to trick users in to revealing sensitive information. Many organizations train employees to spot phishing emails, but fewer raise awareness of vishing phone scams – and in a world where more and more of our everyday communications take place via written messages as opposed to phone calls, vishing attempts capitalize on the ability of a skilled fraudster to manipulate and socially engineer a victim.

Simon McNally

Identity and Access Management Expert at Thales.

Anatomy of a scam

Phishing attacks generally work via sending huge amounts of email messages to lists of potential targets. By impersonating genuine email messages, or bringing in a sense of urgency or concern, phishers aim to trick users into replying, or click a link where malware is hosted.

Vishing attackers, meanwhile, typically use two strategies to trick their targets. One way is sending out text messages to a lengthy list of phone numbers – perhaps acquired legitimately, or purchased from other cybercriminals - asking users to call the attacker’s number or requesting other details. Another strategy involves dialing through the list of numbers using software and playing an automated voice message. This may ask the victim to go to a website under an attacker’s control, or they may deceive the victim into connecting with a human scammer, who can continue the conversation and persuade them to share bank details, transfer funds, or other kinds of harmful actions.

Once a cybercriminal has gained access to a victim during a call , they can employ a variety of social engineering strategies to play on the victim's innate trust, fear, greed, and desire to assist. While the intentions may vary from one scheme to another, fundamentally the criminal is aiming to persuade the victim that they are acting morally.

A scammer could, for example, call claiming to be from a victim’s bank and request details as part of a claimed fraud investigation. Or they could pose as an employee’s spouse, call their employer and request that the HR division immediately obtain the worker's phone number. Another common instance is when someone poses as a grandchild and approaches their grandparents for financial assistance at a trying time.

Financial gain is the primary motivation of scammers. They will seek ways to make the victim feel like they need to act immediately, so they have no moment to think, ask the advice of someone else, or change their mind. Short of physically breaking into a premises or IT infrastructure themselves, calling and manipulating a victim can be a highly effective way to get them to send money, email sensitive data, or give information out about their company.

Stay situationally aware

Vishing takes time to persuade and build trust. Scammers need to prey on the fallibilities we all have as human beings in order to distract and encourage unthinking action. Using time pressure is another common tactic, Overall, organizations should be clear with their employees around what vishing attacks look like, and encourage reporting and critical thinking. Everyone should be cautious of sharing personal information in response to unsolicited contact. Anyone legitimate who is getting in touch will provide evidence to help users verify it is genuine before sharing any sensitive details, such as providing a primary number to call – banks for example will never call or send messages without verifying themselves using other sources first.

Individuals should also practice the same critical thinking and situational awareness as they would with phishing attempts in combating vishing threats. Take a moment, think about the conversation, and don’t feel rushed to act. Banks and other financial providers, for example, will never request any kind of financial information from you. Additionally, you can always follow up with the person concerned if a scammer pretends to be someone else, like a close family member, work colleague or manager.

Finally, screening and blocking calls and messages from unknown numbers on your phone are reasonable precautions. Scammers will always keep trying in a world where they can automate attacks, and the potential payoff can be so great – but by staying aware and practicing a good level of critical thinking, users can protect both themselves and the organization they work for.

We've featured the best online cybersecurity courses.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:

Simon McNally is Identity and Access Management Expert at Thales.