Voice phishing

Voice phishing, or vishing,[1] is the use of telephony (often Voice over IP telephony) to conduct phishing attacks.

Landline telephone services have traditionally been trustworthy; terminated in physical locations known to the telephone company, and associated with a bill-payer. Now however, vishing fraudsters often use modern Voice over IP (VoIP) features such as caller ID spoofing and automated systems (IVR) to impede detection by law enforcement agencies. Voice phishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.

Usually, voice phishing attacks are conducted using automated text-to-speech systems that direct a victim to call a number controlled by the attacker, however some use live callers.[1] Posing as an employee of a legitimate body such as the bank, police, telephone or internet provider, the fraudster attempts to obtain personal details and financial information regarding credit card, bank accounts (e.g. the PIN), as well as personal information of the victim. With the received information, the fraudster might be able to access and empty the account or commit identity fraud. Some fraudsters may also try to persuade the victim to transfer money to another bank account or withdraw cash to be given to them directly.[2] Callers also often pose as law enforcement or as an Internal Revenue Service employee.[3][4] Scammers often target immigrants and the elderly,[5] who are coerced to wire hundreds to thousands of dollars in response to threats of arrest or deportation.[3]

Bank account data is not the only sensitive information being targeted. Fraudsters sometimes also try to obtain security credentials from consumers who use Microsoft or Apple products by spoofing the caller ID of Microsoft or Apple Inc.

Audio deepfakes have been used to commit fraud, by fooling people into thinking they are receiving instructions from a trusted individual.[6]

Terminology

  • Social engineering - The usage of psychological manipulation, as opposed to conventional hacking methods, to gain access to confidential information.[7]
  • Caller ID spoofing - A method by which callers are able to modify their caller IDs so that the name or number displayed to the call recipient is different than that of the caller.[8] Phishers will often modify their numbers so that they appear familiar or trustworthy to the call recipient.[9] Common methods include spoofing a number in the call recipient's area code or spoofing a government number so that the call appears more trustworthy or familiar and the potential victim is more likely to answer the call.[9]
  • Voice over Internet Protocol (VoIP) - Also known as IP telephony,[10] VoIP is a technology that allows voice calls to be made over the internet.[11] VoIP is frequently used in vishing attacks because it allows callers to spoof their caller ID.[12]

Motives

Common motives include financial reward, anonymity, and fame.[13] Confidential banking information can be utilized to access the victims' assets. Individual credentials can be sold to individuals who would like to hide their identity to conduct certain activities, such as acquiring weapons.[13] This anonymity is perilous and may be difficult to track by law enforcement. Another rationale is that phishers may seek fame among the cyber attack community.[13]

Operation

Voice phishing comes in various forms. There are various methods and various operation structures for the different types of phishing. Usually, scammers will employ social engineering to convince victims of a role they are playing and to create a sense of urgency to leverage against the victims.

Voice phishing has unique attributes that separate the attack method from similar alternatives such as email phishing. With the increased reach of mobile phones, phishing allows for the targeting of individuals without working knowledge of email but who possess a phone, such as the elderly. The historical prevalence of call centers that ask for personal and confidential information additionally allows for easier extraction of sensitive information from victims due to the trust many users have while speaking to someone on the phone. Through voice communication, vishing attacks can be personable and therefore more impactful than similar alternatives such as email. The faster response time to an attack attempt due to the increased accessibility to a phone is another unique aspect, in comparison to an email where the victim may take longer time to respond.[14] A phone number is difficult to block and scammers can often simply change phone numbers if a specific number is blocked and often find ways around rules and regulations. Phone companies and governments are constantly seeking new ways to curb false scam calls.[15]

Initiation mechanisms

A voice phishing attack may be initiated through different delivery mechanisms.[16]  A scammer may directly call a victim and pretend to be a trustworthy person by spoofing their caller ID, appearing on the phone as an official or someone nearby.[16] Scammers may also deliver pre-recorded, threatening messages to victims' voicemail inboxes to coerce victims into taking action.[16] Victims may also receive a text message which requests them to call a specified number and be charged for calling the specific number.[16] Additionally, the victim may receive an email impersonating a bank; The victim then may be coerced into providing private information, such as a PIN, account number, or other authentication credentials in the phone call.[16]

Common methods and scams

Voice phishing attackers will often employ social engineering to convince victims to give them money and/or access to personal data.[17] Generally, scammers will attempt to create a sense of urgency and/or a fear of authority to use as a leverage against the victims.[16]

  • Imposter scammers pose as an important person or agency relative to the victim and use the victim's relationship with the important person or agency to leverage and scam money.
    • IRS scam: The scammer poses as an IRS official or immigration officer. The scammer then threatens deportation or arrest if the victim does not pay off their debts, even if the victim does not actually have any debt.
    • Romance scam: The scammer poses as a potential love interest through dating apps or simply through phone calls to reconnect with the victim as a lover from the past who needs emergency money for some reason, such as for travel or to pay off debts.[18] Social engineering is used to convince victims that the scammer is a love interest. In extreme cases, the scammer might meet up with the victim and take photos of sexual activities to use as leverage against the victim.[19]
    • Tech support scam: The scammer poses as a tech support and claims that there is an urgent virus, or a severe technical issue on the victim's computer. The scammer may then use the sense of urgency to obtain remote control of the victim's computer by having the victim download a special software to diagnose the supposed problem.[20] Once the scammer gains remote control of the computer, they can access files or personal information stored on the computer or install malware.[21] Another possibility is that the scammer may ask the victim for a payment to resolve the supposed technical issue.[20]
  • Debt relief and credit repair scams
    • Scammer poses as a company and claims an ability to relieve debt or repair credit. The scammer requests a company fee for the service. Usually, performing this action will actually reduce credit score.[22]
  • Business and investment scams
    • Scammers pose as financial experts to convince victims to offer money for investments.[22]
  • Charity scams
    • Scammers pose as charity members to convince the victim to donate to their cause. These fake organizations do not actually do any charity work and instead, any money donated goes directly to the scammers.[23]
  • Auto warranty scams
    • Scammers make fake calls regarding the victim's car warranty and offer the option to renew the warranty.[24] The caller may have information about the victim's car, making their offer appear more legitimate.[24] Callers may use auto warranty scams to gather personal information about their victims, or to collect money if victims decide to purchase the proposed warranty.[25]
  • Parcel scams
    • Targeting immigration populations, scammers claim that the victim has a parcel that needs to be picked up. The scammer initially poses as a courier company. The nonexistent parcel is connected to a financial criminal case. The scammer, posing as a delivery company, transfers the victim to another scammer posing as a police of a foreign country. The scammer posing as police will claim the victim is suspected and needs to be investigated in a fake money laundering investigation. This is done by convincing the victim that their identity was stolen. The scammer then convinces the victim to send money to the "police" to conduct an investigation on the money in their bank.[4] Throughout the process the scammer may take extra steps to claim they are not scammers by reiterating that the police will not ask for personal credentials or bank account information.
  • Kidnapping scams
    • Scammers will call and claim that they have kidnapped a close relative or loved one. This is done by either doing research beforehand or using social engineering tactics and assumptions to glean information of the relative off of the victim. For example, since elderly are more vulnerable to scams compared to the average population, the scammers can assume that the elderly probably have children or grandchildren. The scammer will threaten to harm the relative if the victim hangs up.[26] In certain cases the scammer will even let victims talk to the "abducted relative'' but due to fear, confusion, and the effect of the phone on a person's voice, the victim may fail to notice that the fake abducted relative is not actually the relative.[27]

Detection and prevention

Voice phishing attacks can be difficult for victims to identify because legitimate institutions such as banks sometimes ask for sensitive personal information over the phone.[8] Phishing schemes may employ pre-recorded messages of notable, regional banks to make them indistinguishable from legitimate calls.[citation needed] Additionally, victims, particularly the elderly,[8] may forget or not know about scammers' ability to modify their caller ID, making them more vulnerable to voice phishing attacks.[citation needed]

The US Federal Trade Commission (FTC) suggests several ways for the average consumer to detect phone scams.[22] The FTC warns against making payments using cash, gift cards, and prepaid cards, and asserts that government agencies do not call citizens to discuss personal information such as Social Security numbers.[22] Additionally, potential victims can pay attention to characteristics of the phone call, such as the tone or accent of the caller[8][28] or the urgency of the phone call[22] to determine whether or not the call is legitimate.

The primary strategy recommended by the FTC to avoid falling victim to voice phishing is to not answer calls from unknown numbers.[9] However, when a scammer utilizes VoIP to spoof their caller ID, or in circumstances where victims do answer calls, other strategies include not pressing buttons when prompted, and not answering any questions asked by a suspicious caller.[9]

On March 31, 2020, in an effort to reduce vishing attacks that utilize caller ID spoofing, the US Federal Communications Commission adopted a set of mandates known as STIR/SHAKEN, a framework intended to be used by phone companies to authenticate caller ID information.[29] All U.S. phone service providers had until June 30, 2021, to comply with the order and integrate STIR/SHAKEN into their infrastructure to lessen the impact of caller ID spoofing.[29]

In some countries, social media is used to call and communicate with the public. On certain social media platforms, government and bank profiles are verified and unverified government and bank profiles would be fake profiles.[30]

Solutions

The most direct and effective mitigation strategy is training the general public to understand common traits of a voice phishing attack to detect phishing messages.[31] A more technical approach would be the use of software detection methods. Generally, such mechanisms are able to differentiate between phishing calls and honest messages and can be more cheaply implemented than public training.[31]

Detection of phishing

A straightforward method of phishing detection is the usage of blacklists. Recent research has attempted to make accurate distinctions between legitimate calls and phishing attacks using artificial intelligence and data analysis.[32] To further advance research in the fake audio field, different augmentations and feature designs have been explored.[33] By analyzing and converting phone calls to texts, artificial intelligence mechanisms such as natural language processing can be used to identify if the phone call is a phishing attack.[32]

Offensive approaches

Specialized systems, such as phone apps, can submit fake data to phishing calls. Additionally, various law enforcement agencies are continually making efforts to discourage scammers from conducting phishing calls by imposing harsher penalties upon attackers.[31][29]

Notable examples

Between 2012 and 2016, a voice phishing scam ring posed as Internal Revenue Service and immigration employees to more than 50,000 individuals, stealing hundreds of millions of dollars as well as victims' personal information.[5] Alleged co-conspirators from the United States and India threatened vulnerable respondents with "arrest, imprisonment, fines, or deportation."[5] In 2018, 24 defendants were sentenced, with the longest imprisonment being 20 years.[5]

COVID-19 Scams

On March 28, 2021, the Federal Communications Commission issued a statement warning Americans of the rising number of phone scams regarding fraudulent COVID-19 products.[34] Voice phishing schemes attempting to sell products which putatively "prevent, treat, mitigate, diagnose or cure" COVID-19 have been monitored by the Food and Drug Administration as well.[35]

Beginning in 2015, a phishing scammer impersonated Hollywood make-up artists and powerful female executives to coerce victims to travel to Indonesia and pay sums of money under the premise that they'll be reimbursed. Using social engineering, the scammer researched the lives of their victims extensively to mine details to make the impersonation more believable. The scammer called victims directly, often multiple times a day and for hours at a time to pressure victims.[36]

Thamar Reservoir Cyberattack

The 2015 cyber attack campaign against the Israeli academic Dr. Thamar Eilam Gindin illustrates the use of a vishing attack as a precursor to escalating future attacks with the new information coerced from a victim. After the Iran-expert academic mentioned connections within Iran on Israeli Army Radio, Thamar received a phone call to request an interview with the professor for the Persian BBC. To view the questions ahead of the proposed interview, Thamar was instructed to access a Google Drive document that requested her password for access. By entering her password to access the malicious document, the attacker can use the credentials for further elevated attacks.[37]

Mobile Bank ID Scam

In Sweden, Mobile Bank ID is a phone app (launched 2011) that is used to identify a user in internet banking. The user logs in to the bank on a computer, the bank activates the phone app, the user enters a password in the phone and is logged in. In this scam, malicious actors called people claiming to be a bank officer, claimed there was a security problem, and asked the victim to use their Mobile Bank ID app. Fraudsters were then able to log in to the victim's account without the victim providing their password. The fraudster was then able to transfer money from the victim's account. If the victim was a customer of the Swedish bank Nordea, scammers were also able to use the victim's account directly from their phone. In 2018, the app was changed to require users to photograph a QR code on their computer screen. This ensures that the phone and the computer are colocated, which has largely eliminated this type of fraud.

See also

References

  1. ^ a b Griffin, Slade E.; Rackley, Casey C. (2008). "Vishing". Proceedings of the 5th annual conference on Information security curriculum development - InfoSecCD '08. p. 33. doi:10.1145/1456625.1456635. ISBN 9781605583334.
  2. ^ "'Vishing' scams net fraudsters £7m in one year". The Guardian. Press Association. 2013-08-28. Retrieved 2018-09-04.
  3. ^ a b Olson, Elizabeth (2018-12-07). "When Answering the Phone Exposes You to Fraud". The New York Times. ISSN 0362-4331. Retrieved 2021-04-08.
  4. ^ a b "Chinese Robocalls Bombarding The U.S. Are Part Of An International Phone Scam". NPR.org. Retrieved 2021-04-08.
  5. ^ a b c d Hauser, Christine (2018-07-23). "U.S. Breaks Up Vast I.R.S. Phone Scam". The New York Times. ISSN 0362-4331. Retrieved 2021-04-06.
  6. ^ Statt, Nick (2019-09-05). "Thieves are now using AI deepfakes to trick companies into sending them money". The Verge. Retrieved 2021-04-08.
  7. ^ Steinmetz, Kevin F.; Holt, Thomas J. (2022-08-05). "Falling for Social Engineering: A Qualitative Analysis of Social Engineering Policy Recommendations". Social Science Computer Review. 41 (2): 592–607. doi:10.1177/08944393221117501. ISSN 0894-4393. S2CID 251420893.
  8. ^ a b c d Song, Jaeseung; Kim, Hyoungshick; Gkelias, Athanasios (2014-10-01). "iVisher: Real-Time Detection of Caller ID Spoofing". ETRI Journal. 36 (5): 865–875. doi:10.4218/etrij.14.0113.0798. ISSN 1225-6463. S2CID 16686917.
  9. ^ a b c d "Caller ID Spoofing". Federal Communications Commission. 2011-05-04. Retrieved 2021-04-06.
  10. ^ The AT&T Business Editorial Team. "What is VoIP and how does it work?". {{cite web}}: |last= has generic name (help)
  11. ^ "Voice Over Internet Protocol (VoIP)". Federal Communications Commission. 2010-11-18. Retrieved 2021-04-08.
  12. ^ Federal Communications Commission. "REPORT AND ORDER AND FURTHER NOTICE OF PROPOSED RULEMAKING" (PDF).
  13. ^ a b c Khonji, Mahmoud; Iraqi, Youssef; Jones, Andrew. "Phishing Detection: A Literature Survey" (PDF). IEEE Communications Surveys & Tutorials. 15.
  14. ^ Fowler, Thomas; Leigh, John. "Phishing, Pharming, and Vishing: Fraud in the Internet Age". The Telecommunications Review. CiteSeerX 10.1.1.136.3368.
  15. ^ "Phone scammers: 'Give me £1,000 to stop calling you'". BBC News. 2021-03-14. Retrieved 2021-04-08.
  16. ^ a b c d e f IBM Global Technology Services. "The vishing guide" (PDF).
  17. ^ Choi, Kwan; Lee, Ju-lak; Chun, Yong-tae (2017-05-01). "Voice phishing fraud and its modus operandi". Security Journal. 30 (2): 454–466. doi:10.1057/sj.2014.49. ISSN 0955-1662. S2CID 154080668.
  18. ^ "What You Need to Know About Romance Scams". Consumer Information. 2019-06-05. Retrieved 2021-04-08.
  19. ^ 新竹市警察局 (2017-01-09). "常見詐騙手法分析-新竹市政府". 新竹市警察局. Retrieved 2021-04-08.
  20. ^ a b "How to Spot, Avoid and Report Tech Support Scams". Consumer Information. 2019-02-15. Retrieved 2021-04-08.
  21. ^ "Tech Support Scams". Federal Trade Commission. 2018-10-05. Retrieved 2021-04-08.
  22. ^ a b c d e "Phone Scams". Consumer Information. 2019-09-25. Retrieved 2021-04-08.
  23. ^ "Charity and Disaster Fraud". Federal Bureau of Investigation. Retrieved 2021-04-08.
  24. ^ a b "Watch out for Auto Warranty Scams". Federal Communications Commission. 2011-02-11. Retrieved 2021-04-08.
  25. ^ Giorgianni, Anthony. "Don't Fall for the Car Warranty Scam". Consumer Reports. Retrieved 2021-04-08.
  26. ^ "FBI Warns Public of 'Virtual Kidnapping' Extortion Calls — FBI". www.fbi.gov. Retrieved 2021-04-08.
  27. ^ 刑事警察大隊 (2015-11-26). "遇到假綁架詐騙別心慌 冷靜求證不受騙". 刑事警察大隊. Retrieved 2021-04-08.
  28. ^ Shamah, David. "Anatomy of an Iranian hack attack: How an Israeli professor got stung". www.timesofisrael.com. Retrieved 2021-04-08.
  29. ^ a b c Federal Communications Commission. "REPORT AND ORDER AND FURTHER NOTICE OF PROPOSED RULEMAKING" (PDF).
  30. ^ "內政部警政署 165 全民防騙網". 165.npa.gov.tw. Retrieved 2021-04-08.
  31. ^ a b c Khonji, Mahmoud; Iraqi, Youssef; Jones, Andrew. "Phishing Detection: A Literature Survey" (PDF). IEEE Communications Surveys & Tutorials. 15.
  32. ^ a b Kim, Jeong-Wook; Hong, Gi-Wan; Chang, Hangbae. "Voice Recognition and Document Classification-Based Data Analysis for Voice Phishing Detection" (PDF). Human-centric Computing and Information Sciences.
  33. ^ Cohen, Ariel; Rimon, Inbal; Aflalo, Eran; Permuter, Haim H. (June 2022). "A study on data augmentation in voice anti-spoofing". Speech Communication. 141: 56–67. arXiv:2110.10491. doi:10.1016/j.specom.2022.04.005. S2CID 239050551.
  34. ^ "COVID-19 Robocall Scams". Federal Communications Commission. 2020-07-17. Retrieved 2021-04-06.
  35. ^ Affairs, Office of Regulatory (2021-04-02). "Fraudulent Coronavirus Disease 2019 (COVID-19) Products". FDA.
  36. ^ "Hunting the Con Queen of Hollywood: Who's the "Crazy Evil Genius" Behind a Global Racket?". The Hollywood Reporter. 2018-07-11. Retrieved 2021-04-06.
  37. ^ Shamah, David. "Anatomy of an Iranian hack attack: How an Israeli professor got stung". www.timesofisrael.com. Retrieved 2021-04-06.