What Is Vishing?
Vishing is a type of phishing attack where scammers use phone calls to steal sensitive information. Unlike email phishing, vishing takes advantage of the personal and direct nature of voice communication.
Scammers generally operate in real-time, using social engineering tactics to deceive victims. They often pretend to be from well-known entities like banks or government agencies. Some scams involve pre-recorded messages, known as robocalls, which have become widespread due to their ease of use and scalability.
Now, in 2024, a new threat is emerging with generative AI. Scammers are able to automate large-scale vishing attacks, using AI to mimic human social engineering tactics that have effectively tricked victims for years.
Real Examples of Vishing
It's a misconception that robocalls are easy to spot. Enhancements in text-to-speech tools have transformed these computer-generated calls into highly realistic scams, complete with language fillers and natural breathing pauses.
In this section, we'll hear real examples of vishing, focusing on robocalls and sophisticated vishing calls powered by generative AI. These recordings will equip you with practical knowledge to help protect yourself from becoming a victim.
Robocall: IRS Scam
Here is an example of a scam call impersonating the IRS. In this recording, you will hear advanced text-to-speech technology and social engineering tactics that make this scam extremely hard to spot.
AI-Powered Vishing: Password Reset Scam
This example was created using CanIPhish's vishing simulation technology. In this scenario, an AI bot calls a real person and convinces them to hand over information.
What Are Common Vishing Techniques
Vishing attacks rely on a mix of psychological tricks and technological tactics to deceive individuals into sharing sensitive information over the phone. While the scams themselves vary, the scam will most likely use one of, if not all four of these common vishing techniques:
-
Caller ID Spoofing
Scammers manipulate the caller ID to make it seem like the call is coming from a legitimate source, such as a bank, government office, or local business. This technique is effective because people tend to trust familiar phone numbers and are more likely to pick up and believe the caller.
Example: A scammer fakes a bank’s phone number, making the recipient believe they are speaking to their bank, thus making them more likely to divulge personal banking information.
-
Social Engineering
Social engineering is the art of manipulating people into taking certain actions or sharing information by playing on their emotions. Vishing attackers use psychological tactics like fear, trust, urgency, or authority to make victims act quickly without thinking.
Example: A scammer impersonates a law enforcement official, telling the victim they are under investigation and must provide personal information to avoid arrest, creating a sense of fear and urgency.
-
Pretexting
Pretexting involves creating a fictional scenario to trick the victim into providing sensitive details. Attackers often come up with elaborate backstories to make the request for information seem plausible.
Example: A scammer may pose as an IT support technician from a victim's company, asking for login credentials under the pretext of fixing a technical issue.
-
VoIP (Voice over Internet Protocol)
VoIP allows scammers to make thousands of calls cheaply and quickly over the internet. This technology lets attackers create and use multiple fake numbers, making it hard for victims to trace the source of the call.
Example: Using VoIP, a scammer can call hundreds of potential victims in a single day, all with different phone numbers, avoiding detection and making it more difficult for phone providers to block them.
9 Common Vishing Scams To Watch Out For
Vishing scams can be very tricky because they use automated messages, real people, or even AI to sound convincing. Scammers like vishing because it can be easily changed to fit different situations. When you're on a phone call and feel rushed, it's easy to make quick decisions that lead to bad outcomes.
Here are the 9 common vishing scams currently being used by scammers in 2024 against both individuals and businesses:
Bank Verification Scams
Scammers claim to be calling from your bank, saying they need to verify your account due to suspicious activity. They ask for your account number, PIN, or password to steal money.
Tax Authority Scams
Fake tax officials say you owe taxes and must pay immediately or face legal trouble. They pressure you to make a quick payment to a supposed safe account that is actually theirs.
Government Grant Scams
You receive a call about being eligible for a government grant, but you must pay a fee to get it. The grant is fake, and the fee goes straight to the scammer.
Prize Scams
You’re told you've won a lottery or prize but must pay a fee or give your bank details to claim it. There is no prize, and they use your information to steal from you.
Loan or Credit Scams
Scammers offer fake loans or credit cards but ask for an upfront fee or your financial details first. They take the fee or use your details for identity theft.
Charity Scams
Callers ask for donations to fake charities, especially during emergencies or holidays. They use your willingness to help as a way to take your money or personal information.
Insurance Scams
You're offered unrealistically cheap insurance and asked for personal information or payment upfront. The insurance doesn't exist, and they use your information to steal from you.
Utility Scams
Scammers claim to be from a utility company, saying your service will be cut off for non-payment. They demand immediate payment through specific methods like gift cards or wire transfers.
Password Reset Scams
Using AI, live calls or robocalls, scammers make calls that sound like real companies asking you to reset your password. They direct you to fake websites where they steal your login details.
Practical Tips To Avoid Vishing Attacks
Vishing, or voice phishing, can be a serious threat to your personal information and finances. Protecting yourself from these scams requires a mix of awareness, smart practices, and technical precautions. Here’s how you can avoid falling victim to vishing attacks:
Recognize the Signs of Vishing
Many vishing scams have telltale signs. Learning to recognize these red flags can help you avoid being tricked. Common warning signs include:
- Unfamiliar or blocked caller IDs: Be cautious if you receive calls from numbers you don’t recognize or if the caller hides their number.
- Inconsistent or suspicious stories: If the caller’s explanation doesn’t add up or contradicts what you've heard before, it’s likely a scam.
- High-pressure tactics: Scammers often create a sense of urgency, making you feel like you need to act immediately. This is a major red flag.
- Requests for confidential information: Legitimate organizations will never ask for sensitive information, like passwords or Social Security numbers, over an unsolicited call.
Establish Personal Protocols for Phone Conversations
It’s important to have your own personal rules when it comes to sharing information over the phone. If someone calls asking for sensitive details, always verify who they are before providing any information.
Actionable Tips:
- Never share personal or financial details unless you can independently verify the caller’s identity.
- If you feel unsure, hang up and call the organization back using a number you know is legitimate.
- Be cautious about any unsolicited calls asking for personal information, no matter how convincing they sound.
Use Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) is a simple yet powerful way to protect your accounts. By requiring a second form of identification—such as a code sent to your phone or a fingerprint scan—you make it much harder for scammers to access your accounts, even if they’ve obtained some of your personal information.
How it helps: Even if a scammer gets hold of your login details through a vishing attack, MFA adds an extra layer of security that they won’t be able to bypass without your second form of verification.
Stay Skeptical of Unsolicited Calls
A healthy level of skepticism can go a long way. If you receive an unexpected call from someone claiming to be from a bank, government agency, or tech support, it’s okay to question their legitimacy. Scammers rely on the fact that most people won’t challenge them.
What you can do:
- Don’t be afraid to ask questions and request proof of the caller’s identity.
- If something feels off, trust your instincts, and don’t hesitate to end the call.
- Always verify the information with the organization directly before taking any action.
Free Posters and Training Guides
Looking for an instant security awareness engagement boost? We've got you covered.
See the full range of free contentFrequently Asked Questions
How do vishing attacks typically occur?
Vishing attacks often involve a scammer calling the victim, posing as a bank representative, government official, or tech support, and manipulating them into sharing confidential information.
What makes vishing calls different from regular phishing attempts?
Unlike traditional phishing, which primarily uses emails, vishing exclusively uses voice calls or voicemails, leveraging the personal touch and immediacy of a phone call to scam victims.
How can I identify a vishing attempt?
Be alert for unsolicited calls asking for personal information, calls instilling a sense of urgency or fear, and calls from unfamiliar or blocked numbers.
What steps can I take to protect myself against vishing?
Educate yourself about vishing, verify callers' identities by calling back through official numbers, never share personal information on unsolicited calls, and use call-filtering technology.
Can vishing affect both individuals and businesses?
Yes, vishing can target individuals and businesses, with tactics often tailored to exploit the specific vulnerabilities and trust relationships in each context.
So you've taken the bait. What now?
Learn why you should never respond to a phishing email.
Read our blog