Voice Phishing on the telephone

Voice phishing is a special form of social engineering via phone. Here you will find a definition of how it is used and how to recognize and protect yourself against vishing.

Definition: Vishing

Vishing is the abbreviation for Voice Phishing and describes a form of fraud over the telephone. The aim is to trick the victim into giving out personal data over the phone. The method can be classified into the field of social engineering, a psychological tactic by which the fraudsters target people and their emotions. Through manipulating, influencing, and deceiving their victims, cybercriminals are able to take control over the computer system and/or personal data of the victim or the associated company. They usually contact their victims by email, social media or, in the case of vishing, by telephone. The latter is a phenomenon that is particularly relevant in times of remote work since a situation is exploited in which it is more difficult to consult with colleagues to verify the caller.

How voice phishing is used

Vishing can affect both (large) companies and individuals. The scam is successful so frequently because the potential victims are caught off guard by the call. The victims are grateful for the help offered and trust the fraudster, so they hand over personal and security-related company data.

  • Targeting the masses

    In the process, countless telephone numbers are automatically called, mostly via VoIP services. In this type of attack, known as war dialing, every telephone number in a certain area or company is called. The recorded voice message, which is played back to the person or answering machine, is meant to provoke a call back. If this happens, the fraudster has already managed to overcome the first hurdle. On the phone, the fraudsters then pretend to be employees of a well-known company or bank where the victim is a customer. An alleged problem, for example with a Google MyBusiness account, is “diagnosed” and the necessary help is only offered against the release of relevant data.

  • Targeting individuals

    Such calls can, however, also be very specific and targeted at individuals. In the case ofspear phishing, the fraudster has obtained precise information about a person in the company before the attack and can thus use information that underlines the caller’s credibility. In this type of attack, vishing is usually combined with a CEO fraud during which employees receive deceptively real looking messages from supposed superiors and are persuaded to act quickly through authority or time pressure.

How to detect a vishing attack and how to protect yourself?

The key to successful vishing prevention is a good awareness of what a potential scam might look like. The following questions can help you respond to warning signs in an emergency.

  • The callers describe themselves as experts in company XY? Check the professional status of the respective person with a simple call to the company mentioned.
  • Is the caller putting time pressureon you? Excessive suggestion of urgency is an indication of a fraud attempt. Take a deep breath first and check the authenticity of the claim in the same way.
  • The caller asks for your credit card or access data over the phone? Serious companies or banks would never request such data on the phone. Refuse the disclosure in any case and report the incident to the respective company.
  • The caller asks you to click on a link sent by them in an email (phishing) or SMS (phishing)? This request is also unusual. Before you click on something, check with your company’s IT support to see how to proceed correctly.

Vishing - being aware

The Microsoft case

Time and again, the technology company Microsoft is used as a pretext for a vishing attack. The fraudulent scam already has a name: Microsoft Technical Support Scam. Alleged Microsoft employees call the victim and pretend to want to help with a problem with the device, platform, or software. For example, the caller claims that the potential victim’s personal data has been infected by a Trojan or virus. They exploit the victim’s lack of knowledge and create the feeling that the only way out is to accept assistance over the phone. In the telephone call that follows, the fraudster guides the victim through instructions with the aim of installing software to supposedly fix the problem. Once this has been done, the fraudster has been successful in gaining full remote access to the computer and corporate systems. The victim is then advised to pay a certain amount of money for the alleged repair. If this is not done, the perpetrators threaten to delete data or access sensitive data. Microsoft itself comments on the problem on its own support page as follows: “All communication with Microsoft must be initiated by you. Microsoft (…) does not make unsolicited calls to request personal or financial information or to provide support for errors on your computer. So, anyone who receives unsolicited calls from Microsoft should be vigilant and critical!

Often confused: Vishing, phishing and smishing

What these scams all have in common is that the hackers have one of the following three motives: Either they want to harvest access and contact data, they want to obtain money by fraud or their aim is to spread malware. The only difference between vishing, phishing and smishing is that they each use a different service to transmit messages. The three methods are also often used in combination.

  • Vishing / Voice phishingis the method already described which is intended to entice people to give out their data over the phone or to transfer money directly.
  • Phishing / email phishingis the most common scam and often contains links or attachments that download malware to the device. This can lead to ransom demands to recover the encrypted data.
  • Smishing/SMS phishing is an attack method via text message or SMS which calls upon the victims to follow a link or call a number.

SoSafe’s voice phishing simulation

Awareness training sensitizes employees to vishing and its dangers. SoSafe offers e-learnings on voice phishing as well as simulations in which your employees are confronted with realistic scenarios. Would you like to test the voice phishing simulation? One way to sensitize your employees is to use digital learning formats. In this case, common scams and what employees should pay attention to in order to recognize a vishing call are explained. For example, SoSafe’s e-learnings contain micro-learning modules about vishing or social engineering.

The SoSafe vishing simulation goes one step further. Here, employees are automatically called and confronted with a realistic vishing call.. In this way, they experience a potential phishing attack in a realistic setting on the phone. You are, of course, also welcome to test this vishing simulation yourself. We will gladly make sample calls to your cell phone. The calls are general and fit into the office context. Within the next seven days you will receive up to three completely harmless sample calls, just as your employees would receive them within the scope of our awareness building. At the end of the test you will receive the evaluation. If you decide to commission SoSafe, the voice phishing simulation will of course be tailored to your company or industry in consultation with you.

Test our voice phishing simulation

About SoSafe:

The SoSafe awareness platform sensitizes and trains employees in dealing with the topic of IT security. Phishing simulations and interactive e-learnings teach employees in an effective and sustainable way on what to pay particular attention to when using e.g. e-mails, passwords or social media. The employer receives differentiated reporting and can finally make awareness building measurable – of course completely GDPR-compliant.