What is Vishing and how does it work?

Features
By
published

Learn how vishing works, the common types of vishing, and how to avoid falling victim to this cybercrime.

Cybercrime
(Image credit: Future)

Vishing is an abbreviation for “voice phishing,” in which hackers use fraudulent phone calls or voice messages to dupe people into giving them sensitive information, such as bank passwords and account credentials. The hackers then use this information for criminal activities, mainly stealing funds.

Vishing is on the rise, and people need to protect themselves from it. This article will dive deep into Vishing, explaining how it works and the steps to protect yourself.

Reader offer: Get a free trial on NinjaOne

Reader offer: Get a free trial on NinjaOne

NinjaOne is an IT management platform where you can monitor, modernize, and streamline your operations with detailed analytics and a single dashboard. Professionally designed templates are available for document creation. You can discover assets connected to your IT network and monitor their usage in real-time.

View Deal

What is Vishing?

Vishing and phishing are closely related. Phishing refers to malicious actors impersonating trusted people or brands to trick their targets into giving up sensitive information. The most common format is sending an email claiming to be from someone the recipient knows and demanding sensitive information. If the recipient isn’t careful, they could fall for the trick and send sensitive information or money.

Vishing is simply phishing via voice calls or notes. The attacker pretends to be from a reputable organization (like a package delivery service or the victim's banking institution) and demands the target to provide sensitive information. Attackers often use toll-free numbers or voice-over-internet protocol (VoIP) to make themselves look legitimate. 

Sometimes, the vishing attack starts with an email asking the target for their phone number or providing a number they should call. If the target calls the number, the attacker employs social engineering tactics to deceive them into doing their bidding.

Vishing scams usually target people who receive regular voice calls as part of their job, given that this cohort is more likely to be responsive to their tactics. You need vigilance to avoid falling victim to this sophisticated attack vector.

Phone scam- vishing

(Image credit: Getty Images)

What's the goal of Vishing?

Like most crimes, the end game is money or stealing valuable information. A hacker could trick their target into sending them money directly. They could also do it indirectly, i.e., tricking the target into giving their bank details and using those details to siphon money. Sometimes, the attackers steal personal data to sell to other malicious actors. 

Why do Hackers Engage in Vishing?

Malicious actors engage in vishing because it’s, unfortunately, one of the most effective ways to catch their targets off-guard. Voice communication carries urgency and trust in a way other communication mediums lack. With voice calls, hackers can build personal connections with their targets and respond dynamically to their victim's tone and mood – the same can’t happen on social media or email.

Hackers are also attracted to vishing because technology has made impersonating people on voice calls easier. For instance, the masses now have access to artificial intelligence-based voice cloning tools that can be abused to trick targets. As deepfake and voice cloning technology becomes more sophisticated and affordable, it’s becoming more difficult for laypeople to discern the real from the fake. 

Common Vishing Scams

Let’s examine some common vishing scams you should be wary of:

1. Tech support calls

Attackers pretend to be tech support agents to trick targets into giving up sensitive information. They can claim to be from your company’s IT department, PC vendor, or Internet Service Provider (ISP). Older adults with limited technological prowess tend to fall for this attack vector. 

People with limited technical understanding might conclude that the caller is legit and give them what they want. To avoid this problem, you can always hang up the call to verify if the caller is legit. If the caller claims to be from a specific company, cut the call and check if the official phone number on that company’s website or business card matches the one that dialed your phone.

Most importantly, never give out personal information via telephone or email. Even if you have a technical problem, no legitimate company asks for sensitive details over the phone or email. 

2. Deepfakes

This format is sophisticated because it involves cloning the voice of a person the target knows to trick them. With artificial intelligence (AI) and machine learning (ML) tools becoming increasingly available, it now takes just a short voice sample to clone someone’s voice.

Once the attacker begins the call, they use text-to-speech software to dictate what the target hears. Without care, one can easily fall for this advanced trick. 

To avoid falling victim to deepfake calls, start by being skeptical of random and unusual requests. If you receive a call that feels out of character for the person or organization contacting you, it hints at a deepfake attack, especially when you're compelled to help the person under pressure. Likewise, be attentive for any signs of a distorted voice or long pauses – the criminal has to type the words, which takes time, and voice cloning tools usually have some distortions because of technical limitations. 

If you receive a call with the signals of a deepfake, cut it and try to contact the person or organization via another means to verify the information. 

3. Robocalls

Robocalls are automated messages designed to trick recipients into sending money or giving up sensitive details. These pre-recorded messages impersonate reputed authorities – the police, government agencies, banks, healthcare institutions, etc. – to trick unsuspecting people into doing their bidding.

A typical example is a robocall from the Internal Revenue Service (IRS) asserting that the target owes a specific amount of tax and must pay it to a provided bank account. Such a call is always a scam - the IRS never contacts people via phone demanding money or personal details. Hang up if you get a call like this.

phone scam

(Image credit: Getty Images)

4. Client calls

Some hackers dumpster dive office environments to find old, trashed invoices. They then call the number on these invoices, pretending to be the vendor and demanding payment. The attacker claims the invoice was unpaid and uses an urgent or angry tone to pressure the recipient into sending money. 

Sometimes, the hacker spoofs the Caller ID and displays the number and name of the actual organization – that’s why you shouldn’t trust a call solely on the displayed details. If you receive such a call, ask for the caller’s name, position, and contact details and hang up, then verify the details via another source. Most importantly, if you’re sure you’ve paid an invoice and yet receive a call about that same invoice, it’s most likely a vishing scam.

5. Telemarketing call

Hackers often try to exploit the human tendency to enjoy rewards and freebies. In this case, they call the target and tell them they’ve won a valuable prize. The target is then asked to provide confidential information or a small amount of money to claim the prize— a typical scam. 

Hackers can spoof Caller IDs to impersonate companies that the target is familiar with, making their offer more convincing. However, always be wary of random people bearing gifts. Don’t get too excited and carried away to walk into this type of vishing scam.

How can I Recognize Vishing Attacks?

You can recognize vishing attacks in various ways, including

1. Asking for sensitive details

You should be automatically skeptical of any call that requests personal and sensitive information. No reputed institution ever demands personal information over the phone or via email. That’s why many banks run massive advertising campaigns informing clients never to provide sensitive information to anyone claiming to represent the institution.

2. Poor audio quality

Deepfakes are becoming more ubiquitous as time passes, but technology still has limitations. Speech-to-text software often has unusual background noises or voice glitches. If you hear a normal voice tone suddenly becoming robotic, it signals that the call is likely cloned.

3. High-pressure tactics

Scammers often use high-pressure tactics to trick people into doing their bidding. Observing the caller using threatening or highly persuasive language is a sign that they want to trick you. Don’t make decisions under pressure and haste – you need to be calm to think clearly. If the caller tries to veer you off from this calm state, hang up the call.

For instance, a common scam involves cloning a family member’s voice and calling you to request money under urgent circumstances. One can easily fall for this trick because of their affection for the impersonated caller – the antidote is not to make decisions under pressure. Cut the call and contact the person via another means to confirm if they’re truly in urgent circumstances. If you can’t reach the person, please wait out the situation and contact them later.

4. Unusual numbers

Calls from unfamiliar numbers are a red flag. Be vigilant when you pick up a call from an unknown number—it will not always be a scam, but vigilance helps you avoid falling victim to any scam call.

If you receive a call from an organization but the number doesn’t match what you’re familiar with, don’t hesitate to hang up and seek further clarification. If you receive a call purportedly from a colleague or higher-up, don’t hesitate to hang up and verify with a third party before taking any action.

5. Automated messages

Be wary of any call with a robotic voice tone. No reputed organization sends pre-recorded calls to request action from a client or employee. Scammers use robocalls to widen the net of their possible victims, as it would take too much time and effort to call each target individually.

Best Practices to Avoid Vishing Attacks

  • Never provide sensitive information over the phone or any other communication medium. We’ve emphasized this point multiple times.
  • Don’t pick up calls from unknown and suspicious numbers. Instead, let the calls go to voicemail and evaluate their legitimacy before responding or ignoring them.
  • Don’t respond to random emails or texts asking you to provide your phone number. It’s a common tactic scammers use to get their victims’ phone numbers to kickstart a vishing attack.
  • Add your phone number to the National Do Not Call Registry (for U.S.-based people). Legitimate companies honor this registry by not calling customers who add their numbers to it. If you receive a call purportedly from a trusted organization after adding your number to this registry, it’s likely illegitimate.
  • Always ask questions. If someone calls and offers a prize, ask for their name and company phone number to verify who they are. If the caller refuses to provide this information, hang up. Even if they provide it, ensure the details are legitimate before returning any call.
  • Enable security features on your phone that block numbers associated with spam or scams.
  • Create an authentication process with your colleagues. It could be a passphrase or code that lets you know you’re speaking to a legitimate colleague. The call is likely illegitimate if the caller claiming to represent your organization can’t provide this phrase or code.

What to do if you Experience a Vishing Attack?

If you fall victim to a vishing attack, it’s not something to continuously beat yourself over. Instead, you can take some immediate steps to avoid your sensitive information being exploited further:

  • Change every compromised password or PIN. If you gave the attacker your password or PIN, change the credentials on the relevant platform and any other platform where you use the same credentials.
  • Alert the institution that was impersonated. They can take steps to alert other customers and prevent their brand from being impersonated.
  • If you disclosed sensitive corporate information to the attacker, alert your company’s IT department and higher-ups about the issue. Hiding it for fear of consequences prolongs the problem and can cause further damage.
  • File a formal complaint with the Federal Trade Commission, the FBI's Internet Crime Complaint Center (IC3), or a domestic law enforcement agency. Your complaint helps them possibly arrest the perpetrators and prevent others from falling victim to the same issue.
  • If your banking details were compromised, alert your bank immediately and freeze your accounts if necessary.

Final Words

Cybercrime is becoming increasingly sophisticated and costly to victims. Vishing is one of the most common types of cybercrime and proliferates as hackers gain easier access to sophisticated voice cloning tools. We have explained how this cybercrime works, how to recognize it, and the best practices to avoid falling victim to it.

Even if you fall victim to vishing, you can take immediate steps to prevent further damage. Follow our tips, and you’ll likely avoid getting roped into this sophisticated attack vector. 

Stefan Ionescu
Stefan Ionescu

Stefan has always been a lover of tech. He graduated with an MSc in geological engineering but soon discovered he had a knack for writing instead. So he decided to combine his newfound and life-long passions to become a technology writer. As a freelance content writer, Stefan can break down complex technological topics, making them easily digestible for the lay audience.