Voice phishing, or vishing,[1] is the use of telephony (often Voice over IP telephony) to conduct phishing attacks.
Landline telephone services have traditionally been trustworthy; terminated in physical locations known to the telephone company, and associated with a bill-payer. Now however, vishing fraudsters often use modern Voice over IP (VoIP) features such as caller ID spoofing and automated systems (IVR) to impede detection by law enforcement agencies. Voice phishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.
Usually, voice phishing attacks are conducted using automated text-to-speech systems that direct a victim to call a number controlled by the attacker, however some use live callers.[1] Posing as an employee of a legitimate body such as the bank, police, telephone or internet provider, the fraudster attempts to obtain personal details and financial information regarding credit card, bank accounts (e.g. the PIN), as well as personal information of the victim. With the received information, the fraudster might be able to access and empty the account or commit identity fraud. Some fraudsters may also try to persuade the victim to transfer money to another bank account or withdraw cash to be given to them directly.[2] Callers also often pose as law enforcement or as an Internal Revenue Service employee.[3][4] Scammers often target immigrants and the elderly,[5] who are coerced to wire hundreds to thousands of dollars in response to threats of arrest or deportation.[3]
Bank account data is not the only sensitive information being targeted. Fraudsters sometimes also try to obtain security credentials from consumers who use Microsoft or Apple products by spoofing the caller ID of Microsoft or Apple Inc.
Audio deepfakes have been used to commit fraud, by fooling people into thinking they are receiving instructions from a trusted individual.[6]
Terminology
Social engineering - The usage of psychological manipulation, as opposed to conventional hacking methods, to gain access to confidential information.[7]
Caller ID spoofing - A method by which callers are able to modify their caller IDs so that the name or number displayed to the call recipient is different than that of the caller.[8] Phishers will often modify their numbers so that they appear familiar or trustworthy to the call recipient.[9] Common methods include spoofing a number in the call recipient's area code or spoofing a government number so that the call appears more trustworthy or familiar and the potential victim is more likely to answer the call.[9]
Voice over Internet Protocol (VoIP) - Also known as IP telephony,[10] VoIP is a technology that allows voice calls to be made over the internet.[11] VoIP is frequently used in vishing attacks because it allows callers to spoof their caller ID.[12]
Motives
Common motives include financial reward, anonymity, and fame.[13] Confidential banking information can be utilized to access the victims' assets. Individual credentials can be sold to individuals who would like to hide their identity to conduct certain activities, such as acquiring weapons.[13] This anonymity is perilous and may be difficult to track by law enforcement. Another rationale is that phishers may seek fame among the cyber attack community.[13]
Operation
Voice phishing comes in various forms. There are various methods and various operation structures for the different types of phishing. Usually, scammers will employ social engineering to convince victims of a role they are playing and to create a sense of urgency to leverage against the victims.
Voice phishing has unique attributes that separate the attack method from similar alternatives such as email phishing. With the increased reach of mobile phones, phishing allows for the targeting of individuals without working knowledge of email but who possess a phone, such as the elderly. The historical prevalence of call centers that ask for personal and confidential information additionally allows for easier extraction of sensitive information from victims due to the trust many users have while speaking to someone on the phone. Through voice communication, vishing attacks can be personable and therefore more impactful than similar alternatives such as email. The faster response time to an attack attempt due to the increased accessibility to a phone is another unique aspect, in comparison to an email where the victim may take longer time to respond.[14] A phone number is difficult to block and scammers can often simply change phone numbers if a specific number is blocked and often find ways around rules and regulations. Phone companies and governments are constantly seeking new ways to curb false scam calls.[15]
Initiation mechanisms
A voice phishing attack may be initiated through different delivery mechanisms.[16] A scammer may directly call a victim and pretend to be a trustworthy person by spoofing their caller ID, appearing on the phone as an official or someone nearby.[16] Scammers may also deliver pre-recorded, threatening messages to victims' voicemail inboxes to coerce victims into taking action.[16] Victims may also receive a text message which requests them to call a specified number and be charged for calling the specific number.[16] Additionally, the victim may receive an email impersonating a bank; The victim then may be coerced into providing private information, such as a PIN, account number, or other authentication credentials in the phone call.[16]
Common methods and scams
Voice phishing attackers will often employ social engineering to convince victims to give them money and/or access to personal data.[17] Generally, scammers will attempt to create a sense of urgency and/or a fear of authority to use as a leverage against the victims.[16]
Imposter scammers pose as an important person or agency relative to the victim and use the victim's relationship with the important person or agency to leverage and scam money.
IRS scam: The scammer poses as an IRS official or immigration officer. The scammer then threatens deportation or arrest if the victim does not pay off their debts, even if the victim does not actually have any debt.
Romance scam: The scammer poses as a potential love interest through dating apps or simply through phone calls to reconnect with the victim as a lover from the past who needs emergency money for some reason, such as for travel or to pay off debts.[18] Social engineering is used to convince victims that the scammer is a love interest. In extreme cases, the scammer might meet up with the victim and take photos of sexual activities to use as leverage against the victim.[19]
Tech support scam: The scammer poses as a tech support and claims that there is an urgent virus, or a severe technical issue on the victim's computer. The scammer may then use the sense of urgency to obtain remote control of the victim's computer by having the victim download a special software to diagnose the supposed problem.[20] Once the scammer gains remote control of the computer, they can access files or personal information stored on the computer or install malware.[21] Another possibility is that the scammer may ask the victim for a payment to resolve the supposed technical issue.[20]
Debt relief and credit repair scams
Scammer poses as a company and claims an ability to relieve debt or repair credit. The scammer requests a company fee for the service. Usually, performing this action will actually reduce credit score.[22]
Business and investment scams
Scammers pose as financial experts to convince victims to offer money for investments.[22]
Charity scams
Scammers pose as charity members to convince the victim to donate to their cause. These fake organizations do not actually do any charity work and instead, any money donated goes directly to the scammers.[23]
Auto warranty scams
Scammers make fake calls regarding the victim's car warranty and offer the option to renew the warranty.[24] The caller may have information about the victim's car, making their offer appear more legitimate.[24] Callers may use auto warranty scams to gather personal information about their victims, or to collect money if victims decide to purchase the proposed warranty.[25]
Parcel scams
Targeting immigration populations, scammers claim that the victim has a parcel that needs to be picked up. The scammer initially poses as a courier company. The nonexistent parcel is connected to a financial criminal case. The scammer, posing as a delivery company, transfers the victim to another scammer posing as a police of a foreign country. The scammer posing as police will claim the victim is suspected and needs to be investigated in a fake money laundering investigation. This is done by convincing the victim that their identity was stolen. The scammer then convinces the victim to send money to the "police" to conduct an investigation on the money in their bank.[4] Throughout the process the scammer may take extra steps to claim they are not scammers by reiterating that the police will not ask for personal credentials or bank account information.
Kidnapping scams
Scammers will call and claim that they have kidnapped a close relative or loved one. This is done by either doing research beforehand or using social engineering tactics and assumptions to glean information of the relative off of the victim. For example, since elderly are more vulnerable to scams compared to the average population, the scammers can assume that the elderly probably have children or grandchildren. The scammer will threaten to harm the relative if the victim hangs up.[26] In certain cases the scammer will even let victims talk to the "abducted relative'' but due to fear, confusion, and the effect of the phone on a person's voice, the victim may fail to notice that the fake abducted relative is not actually the relative.[27]
Detection and prevention
Voice phishing attacks can be difficult for victims to identify because legitimate institutions such as banks sometimes ask for sensitive personal information over the phone.[8] Phishing schemes may employ pre-recorded messages of notable, regional banks to make them indistinguishable from legitimate calls.[citation needed] Additionally, victims, particularly the elderly,[8] may forget or not know about scammers' ability to modify their caller ID, making them more vulnerable to voice phishing attacks.[citation needed]
The US Federal Trade Commission (FTC) suggests several ways for the average consumer to detect phone scams.[22] The FTC warns against making payments using cash, gift cards, and prepaid cards, and asserts that government agencies do not call citizens to discuss personal information such as Social Security numbers.[22] Additionally, potential victims can pay attention to characteristics of the phone call, such as the tone or accent of the caller[8][28] or the urgency of the phone call[22] to determine whether or not the call is legitimate.
The primary strategy recommended by the FTC to avoid falling victim to voice phishing is to not answer calls from unknown numbers.[9] However, when a scammer utilizes VoIP to spoof their caller ID, or in circumstances where victims do answer calls, other strategies include not pressing buttons when prompted, and not answering any questions asked by a suspicious caller.[9]
On March 31, 2020, in an effort to reduce vishing attacks that utilize caller ID spoofing, the US Federal Communications Commission adopted a set of mandates known as STIR/SHAKEN, a framework intended to be used by phone companies to authenticate caller ID information.[29] All U.S. phone service providers had until June 30, 2021, to comply with the order and integrate STIR/SHAKEN into their infrastructure to lessen the impact of caller ID spoofing.[29]
In some countries, social media is used to call and communicate with the public. On certain social media platforms, government and bank profiles are verified and unverified government and bank profiles would be fake profiles.[30]
Solutions
The most direct and effective mitigation strategy is training the general public to understand common traits of a voice phishing attack to detect phishing messages.[31] A more technical approach would be the use of software detection methods. Generally, such mechanisms are able to differentiate between phishing calls and honest messages and can be more cheaply implemented than public training.[31]
Detection of phishing
A straightforward method of phishing detection is the usage of blacklists. Recent research has attempted to make accurate distinctions between legitimate calls and phishing attacks using artificial intelligence and data analysis.[32] To further advance research in the fake audio field, different augmentations and feature designs have been explored.[33] By analyzing and converting phone calls to texts, artificial intelligence mechanisms such as natural language processing can be used to identify if the phone call is a phishing attack.[32]
Offensive approaches
Specialized systems, such as phone apps, can submit fake data to phishing calls. Additionally, various law enforcement agencies are continually making efforts to discourage scammers from conducting phishing calls by imposing harsher penalties upon attackers.[31][29]
Between 2012 and 2016, a voice phishing scam ring posed as Internal Revenue Service and immigration employees to more than 50,000 individuals, stealing hundreds of millions of dollars as well as victims' personal information.[5] Alleged co-conspirators from the United States and India threatened vulnerable respondents with "arrest, imprisonment, fines, or deportation."[5] In 2018, 24 defendants were sentenced, with the longest imprisonment being 20 years.[5]
On March 28, 2021, the Federal Communications Commission issued a statement warning Americans of the rising number of phone scams regarding fraudulent COVID-19 products.[34] Voice phishing schemes attempting to sell products which putatively "prevent, treat, mitigate, diagnose or cure" COVID-19 have been monitored by the Food and Drug Administration as well.[35]
Beginning in 2015, a phishing scammer impersonated Hollywood make-up artists and powerful female executives to coerce victims to travel to Indonesia and pay sums of money under the premise that they'll be reimbursed. Using social engineering, the scammer researched the lives of their victims extensively to mine details to make the impersonation more believable. The scammer called victims directly, often multiple times a day and for hours at a time to pressure victims.[36]
Thamar Reservoir Cyberattack
The 2015 cyber attack campaign against the Israeli academic Dr. Thamar Eilam Gindin illustrates the use of a vishing attack as a precursor to escalating future attacks with the new information coerced from a victim. After the Iran-expert academic mentioned connections within Iran on Israeli Army Radio, Thamar received a phone call to request an interview with the professor for the Persian BBC. To view the questions ahead of the proposed interview, Thamar was instructed to access a Google Drive document that requested her password for access. By entering her password to access the malicious document, the attacker can use the credentials for further elevated attacks.[37]
Mobile Bank ID Scam
In Sweden, Mobile Bank ID is a phone app (launched 2011) that is used to identify a user in internet banking. The user logs in to the bank on a computer, the bank activates the phone app, the user enters a password in the phone and is logged in. In this scam, malicious actors called people claiming to be a bank officer, claimed there was a security problem, and asked the victim to use their Mobile Bank ID app. Fraudsters were then able to log in to the victim's account without the victim providing their password. The fraudster was then able to transfer money from the victim's account. If the victim was a customer of the Swedish bank Nordea, scammers were also able to use the victim's account directly from their phone. In 2018, the app was changed to require users to photograph a QR code on their computer screen. This ensures that the phone and the computer are colocated, which has largely eliminated this type of fraud.
^ abGriffin, Slade E.; Rackley, Casey C. (2008). "Vishing". Proceedings of the 5th annual conference on Information security curriculum development - InfoSecCD '08. p. 33. doi:10.1145/1456625.1456635. ISBN9781605583334.