Until now, we have discussed phishing attacks that for the most part rely solely on email as a means of communication. Email is undoubtedly a popular tool among phishers. Even so, fraudsters do sometimes turn to other media to perpetrate their attacks.

Take vishing, for example. This type of phishing attack dispenses with sending out an email and instead goes for placing a phone call. As noted by Comparitech, an attacker can perpetrate a vishing campaign by setting up a Voice over Internet Protocol (VoIP) server to mimic various entities to steal sensitive data and/or funds.

Techniques Used in Vishing

Here are some common techniques used in vishing attacks:

• “The mumble technique”: Digital attackers will oftentimes incorporate unique tactics to go after specific targets. For instance, as reported by Social-Engineer, LLC, when they attempt to target customer service representatives or call center agents, malicious actors might use what’s known as “the mumble technique” to mumble a response to a question in the hopes that their “answer” will suffice.
• Technical jargon: If malicious actors are targeting a company’s employees, Social-Engineer, LLC noted that they might impersonate in-house tech support by using technical jargon and alluding to things like speed issues and badging to convince an employee that it is okay for them to hand over their information.
• ID spoofing: With this tactic, a malicious actor disguises their phone number to make their call look like it is coming from a legitimate phone number in the target’s area code. Twinstate noted that this technique could lull targets into a false sense of security.

Recent Examples of Vishing Attacks

In mid-September 2020, managed care health organization Spectrum Health System published a statement warning patients and Priority Health members to be on the lookout for vishing attacks. This warning indicated that those individuals responsible for the attack had masqueraded as employees of Spectrum Health or Priority Health. They used this disguise to try to pressure individuals into handing over their information, money, or account access.

It was less than two weeks later when a report emerged on in which Montgomery County officials warned residents of the Virginia community to beware of scams involving Social Security Numbers. The report specifically highlighted a surge of fraudsters conducting vishing attacks in which they informed residents that their Social Security Numbers were suspended and that access to their bank accounts would be seized unless they verified their data.

How to Defend Against Vishing

To protect against vishing attacks, users should avoid answering calls from unknown phone numbers, never give out personal information over the phone and use a caller ID app.