Vishing: Understanding, Identifying, and Preventing Voice-Based Attacks

We use technology for pretty amazing things: improving medical practices, automating manual tasks, and more. However, with advancing tech also comes increasingly complex threats. One is vishing — or “voice phishing.” 

In 2022 alone, phishing attacks were the second most common cause of data breaches, costing organizations an average of $4.9 million in breach expenses. One sector of that is vishing, a fraud trend that has emerged as a significant cybersecurity threat, causing mass operational disruptions and financial losses for businesses across industries. 

Curious about what exactly this risk is and how it can be prevented? We’re covering that in this blog. 

What Is Vishing?

Vishing is a type of social engineering attack where scammers use phone calls or voice messages to deceive you into revealing confidential information, such as passwords, credit card numbers, or personal details. Cybercriminals can then use these details for identity theft and financial theft. 

Attackers usually masquerade as trusted entities to deceive recipients, such as the victim’s bank, the IRS, or a package delivery service. Some will use a toll-free number to appear legitimate while others utilize voice-over internet protocol technology to appear as trusted organizations. 

A vishing scam can impact anyone, but fraudsters often target the elderly, new, untrained employees, and team members who regularly receive external calls as part of their roles. In fact, 20% of all vishing victims are aged 60 and above, meaning criminals prey on older people who may not have the knowledge or resources to know when they’re being lied to. If you or a loved one falls under these categories, it’s best to always be vigilant and aware. 

Vishing vs. Phishing vs. Smishing

Vishing and smishing — another increasingly popular form of fraud — are types of phishing schemes. While they fall under the umbrella of phishing, there are unique aspects of these types of attacks that make them particularly dangerous: 

Phishing

A phishing attack typically occurs through email or fake websites, aiming to trick users into clicking malicious links or downloading harmful attachments. 

How it works:

• Baiting the victim: Attackers send deceptive emails, messages, or fake websites that appear to be from legitimate sources. They often create a sense of urgency, like a warning about account suspicion or an odd transaction.
• Luring the click: The message typically contains a malicious link or attachment they want you to click on. It may lead to a fake login page that looks identical to a real one, tricking you into divulging sensitive information.
• Harvesting information: When you type in your information, the attacker captures it. Also, the email may contain an attachment that installs malware to steal confidential information or give the attacker remote access to your device.
• Exploiting the data: Attackers may sell your data on the dark web or use it for identity theft, financial fraud, or further attacks.

Common types of phishing:

• Email phishing: Fake emails pretending to be from trusted sources.
• Spear phishing: Targeted attacks against specific individuals or organizations.
• Whaling:  Phishing aimed at high-profile targets like executives.
• Smishing and vishing: Phishing through SMS (smishing) or phone calls (vishing).
• Clone phishing: Attackers duplicate a legitimate email and alter links to malicious ones.

Smishing

Smishing employs deceptive text messages to lure victims into divulging sensitive information or clicking malicious links. 

How it works: 

• Sending the bait: Attackers send a fraudulent text that appears to come from a reputable source. They often contain messages that create urgency, offer fake rewards, or pretend to be security alerts.
• Tricking the victim: The text will contain a malicious link or a phone number to call. If you click on the link, it will lead to a fake website that looks like a real one, prompting you to enter your login credentials or payment details. If you call the number, the scammer impersonates a real organization and asks for private information.
• Stealing information: Once you provide your information, fraudsters can access your bank account, emails, or social media platforms, install malware on your phone, and use the stolen credentials for identity theft or further fraud.

Common examples of smishing: 

• Bank fraud alerts: “Your account is locked due to suspicious activity. Click here to unlock it.”
• Delivery scams: “Your package is delayed. Update your address here: [malicious link].”
• Fake tech support: “Your device has a virus! Call this number to remove it.”
• Gift card scams: “Congratulations! You won a $500 gift card. Claim it now.”

Vishing

Vishing relies on direct voice communication. Scammers may use caller ID spoofing to appear as though they are calling from legitimate phone numbers, making the deception more convincing.

The important thing to remember is any of these types of attacks could compromise your personal information. The main difference between the three is how the scammer obtains the information, but the end result is the same: they get unauthorized access to your money and identity. 

Common Tactics Used in Vishing Attacks

You now know what a vishing attack is and how it differs from other types of phishing schemes. But, how can you know when you’re being tricked and when a call or voice message is legitimate? A good rule of thumb is to assume that if something seems too good to be true, it probably is. Being extra cautious with your information is critical, as your login credentials are often the only thing keeping you from financial loss. 

Here are the most used types of vishing scams you should be aware of: 

Impersonation of Trusted Entities

Attackers frequently impersonate trusted organizations, like banks, tech companies, or government agencies, to appear credible. By claiming to be from well-known entities, scammers gain your trust and make it easier to extract information.

Urgency and Fear Tactics

Scammers often create a sense of urgency by warning of dire consequences, like account suspension, fraud alerts, or legal action, if the victim doesn’t comply immediately. This tactic pressures you into acting quickly without verifying the legitimacy of the vishing call.

Technical Support Scams

Fraudsters often pose as tech support agents claiming to fix a supposed issue with your computer, phone, or online account. They may request remote access or ask for login details, banking information, or other private data under the guise of assisting.

Banking Scams

Vishing attackers may also attempt to steal financial details like your bank account and credit card number by pretending to be your bank. They may use ID spoofing where they impersonate a legitimate-looking ID to pose as a bank team member to gain access to your account. 

Unsolicited Investment and Loan Offers

Scammers may call you offering unrealistically great deals, like a quick way to pay off student debt or get-rich-quick schemes. These offers may seem enticing, but there’s a catch: you must take a specific action quickly and pay a fee. An actual offer from a lender or investor would never initiate an unsolicited call or promise deals that seem way too optimistic. 

Social Security and Medicare Scams

Because a large percentage of victims are older adults, a popular method for cybercriminals to use is to pose as representatives from Medicare or the Social Security Administration. They may attempt to gain unauthorized access to your account by threatening to suspend or stop benefits unless you provide your Medicare information or Social Security number. 

Tax Scams

Fraudsters will impersonate tax authorities, such as the IRS in the United States or HMRC in the United Kingdom. They do this to steal personal information or demand fraudulent payments over the phone. These scams often use fear tactics and urgency to pressure you into complying, threatening fines or punishments if you don’t do what they want quickly. 

Workplace Impersonation Scams

Attackers pose as company executives, HR representatives, or IT personnel to manipulate you into sharing sensitive company data, login credentials, or financial details. They may claim there’s an urgent payroll issue, a security breach, or a required system update to trick you into compliance. 

Family Emergency Scams

Scammers pretend to be a distressed relative or law enforcement official, claiming that your loved one is in trouble – such as being in an accident, arrested, or hospitalized. They pressure you into sending money immediately, often through untraceable methods like gift cards or wire transfers. 

Voice Cloning Scams

Using AI-generated voice technology, attackers create deepfake voice recordings that mimic someone you know, like a boss, coworker, or family member. They may request urgent financial transfers or private information, making the scheme harder to detect. 

Vishing FAQs

Still have some questions about vishing schemes and how to keep yourself and your workplace safe from threats? Here are a few top queries that we often get asked: 

How can organizations protect against phishing threats?

Whether it’s vishing, smishing, or other types of phishing schemes, it’s important to be vigilant. No matter what type of industry you work in, your organization could be targeted, making proactive action essential. 

First, protect your computer by using security software, and set that software to update automatically. This will ensure your device always has the latest and most secure software to help deal with new threats. Next, set your phone’s software to update automatically. Similar to your computer, these updates will give you protection against scams and keep your information out of harm’s way. 

Strong passwords and multi-factor authentication are also critical for securing your organization from phishing attacks. This could include a passcode, a PIN, or the answer to a security question, giving you one extra layer of protection. 

What role does security awareness training play in preventing a vishing attempt? 

Often, people don’t know what types of risks they face because they’ve never been taught. In fact, 68% of breaches involved a non-malicious human element, like a person falling victim to a social engineering attack or making an error. 

Security awareness training is the process of educating people to understand, identify, and avoid cyber threats. When you know the signs of a vishing attack and what to look out for, it’s easier for you to spot threats before they become problems. 

Additionally, phishing breaches cost organizations about $4.88 million, and poorly trained vs. well-trained team members were the biggest cost-amplifier and cost-mitigating factors. 

How many people are impacted by phishing schemes annually?

About 65% of all phishing attacks target organizations, while 35% target individuals. While it’s hard to tell exactly how many people are impacted by phishing schemes, there’s been a 49% increase in phishing since 2021, per Hoxhunt. From organizations in every industry to retired individuals with devices, phishing can cause problems for anyone who doesn’t use due diligence. 

Protecting Against a Vishing Scam: Start With Cathay Bank

Cybercriminals are constantly finding new ways to steal personal and financial information. Without help, it can feel overwhelming to take proactive steps. First, open a secure account with Cathay Bank. Our team members can guide you in safety with the best practices, helping you keep your personal information out of the wrong hands. 

Other tips and best practices to include in your routine include:

• Be cautious with unsolicited calls.
• Don’t share personal information over the phone.
• Use caller ID caution.
• Question unusual requests or demands.
• Set up call blocking and reporting.
• ​​Boost email security with a strong password.
• Hang up and verify by calling the number on the back of your card.

For more information on vishing or safety tips, visit our Security Information Center, your resource for a safer and more secure banking experience.