Vishing — criminals defrauding individuals and businesses

Published on September 3, 2020

Remember those vishing attacks where people were tricked into sharing sensitive information about themselves or their businesses that resulted in massive financial losses to them? An individual would share their OTP in order to revert an incorrect credit card transaction, only to learn that the caller used the OTP to wipe out their bank account or an employee who thought the CEO who was giving them instructions to transfer money to a specific bank account turned out to be a fraudster siphoning off the money.

People and businesses fall prey to such phishing attacks all the time - this includes people who are tech-savvy and aware of such attacks. Criminals bank on that one moment when you’re unaware and give away that one bit of information they need to take away your precious money.

Vishing harms individuals and businesses alike because there are always humans sitting at the end of the phone line making decisions. Humans have emotions, and emotions can be easily exploited using social engineering techniques. Our emotions can be our strengths at the best of times but can also be our biggest weaknesses. Criminals know how to exploit our emotions to get us to give away information to them.

No alt text provided for this image


The FBI Internet Crime Complaint Center’s (IC3) 2018 Internet Crime Report indicates that phishing, vishing, smishing, and pharming accounted for 26,379 victims and $48,241,748 in losses. ProofPoint’s 2019 State of the Phish report indicates that 49% of the infosec professionals surveyed experienced vishing in the previous year. The report also found that most people are unaware of vishing and only 18% of the people surveyed could correctly identify vishing.

Criminals use VoIP with spoofed caller IDs to ensure that their calls cannot be traced, which makes it virtually impossible for authorities to track them. Most times, a lack of clear laws and jurisdictions about vishing too makes it difficult for authorities to clamp down on vishing and other such crimes.

How vishing works

Vishing attacks come in many forms. You might be talking to a human or you might be talking to a robot. There are other more complicated hybrid vishing attacks where a robot initiates calls, after which a human takes over the call.

Then there are the more terrifying AI-based vishing methods using deep fake technology where criminals can impersonate voices of people familiar to their targets. In one such instance, criminals defrauded a company of $243,000 by using an AI-based software to impersonate their CEO’s voice. The company’s country head thought he was talking to his parent company’s CEO who was asking him to transfer the money to an account within an hour citing urgency in the matter. It was much later that they realized that they were victims of a vishing attack.

Criminals impersonate government officers, representatives of reputed businesses, or even as relatives needing urgent help. They get their targets to share personal and financial information using social engineering tactics and the target’s own emotions to get them to provide information.

They first create situations that elicit emotional responses from their targets, such as fear, urgency, or greed. They pose as someone who can help their targets solve a problem or win a large reward. In normal situations, giving out personal information might seem unrealistic, but when you’re faced with a huge loss or an opportunity to win a lot of money, your emotions kick in, and you might be caught unaware.

How can businesses and people prevent vishing

Vishing attacks are on the rise and many businesses deal with different types of such attacks regularly. Vishing can only be prevented by creating awareness in people and businesses, along with strategic steps taken by telecom service providers and regulations formed and enforced by governments to prevent spoofed calls.

Awareness training largely focuses on phishing and hardly talks about vishing. While financial institutions do create awareness about phishing and vishing, there needs to be a concerted effort to create awareness about hybrid attacks that involve phishing and vishing. Awareness training must be more scenario-based to ensure that people recognize behavior patterns of criminals that indulge in vishing attacks.

People must be alert when they’re being rushed to perform an operation. They must be aware that genuine callers from banks and other institutions possess complete records of their accounts. People must also be aware that criminals manage to procure incomplete information about them or their employers through other means and call them to get the missing information. This means that giving out even small bits of sensitive information can put them in jeopardy.

A concept called hierarchy of trust deserves mention here. People have an innate sense of trust, but depending on the value of transactions, require a relevant medium to solidify their trust in the transaction. For example, the requirement of authorised paper-based documents for high-value transactions and business deals.


Though this hierarchy of trust varies in different countries and cultures, the gist of it is true globally. Usually, businesses insist on higher trust values even for most transactions. For example, businesses require:

â—Ź     Formal purchase orders for procurement of material with payments made only after receipt of material.

â—Ź     Employment of validation agencies for large payments and receipts.

â—Ź     Emails and phone conversations for additional validation of transactions, along with using specific applications as the main interaction points.

People must ensure that they insist on the medium with the highest level in the hierarchy of trust for high value transactions. Ensure using the four-eye principle for all sensitive transactions. Have at least two people validate high value transactions.

Moreover, if you are a business, you can take steps to secure the communication systems and prevent misuse. Ensure that your systems can detect, monitor, and block spoofed calls. In case you fall prey to vishing, report it to the authorities, so that other people do not fall prey to the same scam.

Verify the authenticity of calls by calling back institutions using the numbers published on their public interfaces, such as websites or financial statements. Seek a conversation with an employee of the institution or go talk in person. Consult financial auditors or lawyers when financial and legal issues are at play in transactions. Experts at finance and legal matters can help prevent problems in the future.

How can governments prevent vishing

Governments must create and enforce regulations that prevent call spoofing. There are several countries furiously working towards ensuring that call spoofing and vishing attacks are prevented by using tactics that nip the problem in the bud.

STIR/SHAKEN is a suite of protocols and procedures intended to combat caller ID spoofing on public telephone networks. STIR, short for Secure Telephony Identity Revisited, has been defined as a series of RFC standards documents by IETF.

Though spoofing is legal in the US and Canada as long it’s not used for commercial gains, the countries have set goals for all telecom carriers to enforce the STIR/SHAKEN protocol to identify all calls and prevent spoofing.

Other countries too are exploring policies to safeguard people against spoofing. In the UK, the government is researching alternate methods to prevent spoofed calls.

India has made spoofing illegal. Along with banning all websites and applications that support spoofing, India also has laws to jail and fine anyone spoofing calls.

Conclusion

In the past, when business was conducted in person with physical checks, technology-related crimes were rare. People visited banks to conduct their transactions, bankers knew most of their customers personally, physical cheques that required physical verifications were used. Hard-wired phone lines were difficult to tap, and you couldn’t steal money by tapping someone’s phone lines. All these largely ensured that there was less scope for scams.

All this changed with the onset of digitisation and automation. Today, businesses use VoIP-based communication systems that are plugged into their networks. VoIP allows criminals to modify calls and spoof caller IDs to impersonate another person and create situations that persuade their targets to share information or perform actions that might be unthinkable if the transaction were happening in the physical world.

It is imperative that businesses realise that securing your voice communication systems now is as critical as securing your enterprise networks.