Vishing Explained

Chances are you are familiar with the common cyber attack that is Phishing – emails impersonating an authority figure or trusted company to trick the user and gain sensitive data – however, not many people are aware that this type of attack is not limited to emails at all.

Voice Phishing, or Vishing, has the same intention as regular phishing, but the attack is carried out through phone calls or voice messages instead. Vishing is sometimes used as a second step to Phishing – for example, falling victim to a phishing email could result in a screen-locking malware downloaded onto your device, displaying an error message with a phone number for a very convincing ‘technician’ – but phone calls can be just as effective on their own.


How it’s done

Vishing attackers don’t always target specific individuals, instead calling as many people as possible through the use of phone number generators. It’s common for these criminals to call numbers from outside of their own country, resulting in them using voice-to-text synthesizers and pre-recorded messages to both mask their identity and make their voice fit the ‘persona’ they’re using. On top of this, caller ID spoofing allows these criminals to make their calls display as if from a legitimate source, making users much more likely to answer.

Once on the phone, the recorded message or live operator will proceed to describe the problem that has led to this call – usually involving missed payments, suspicious activity on your account, or something similarly urgent – and will ask for you to confirm some of your account details.

If a user was unfortunate enough to tell them their bank details, they would quickly find their account completely emptied, with no way to trace the criminals phone number thanks to their fake caller ID.


Identify & Prevent

Here are some key tips to help you identify a suspicious call and stop yourself from falling victim:

  • Be wary of unknown callers
    When possible it is recommended to ignore calls from unknown numbers or send them to your voicemail. If you feel you need to answer, make sure to ask lots of questions and refrain from giving them any personal details.

  • Don’t believe caller ID
    Keep in mind whenever you answer the phone that caller ID cannot be trusted and should be treated like any other unknown caller.

  • Call back
    If a seemingly trusted company is either trying to sell something that genuinely interests you or is asking for account details due to some worrying activity, simply end the call and find the company’s official sales or support number online to ensure it is genuine.

  • Report the call
    If you receive a suspicious call through your professional direct line, or even your personal mobile if it’s used for work, it’s vital that you report it to your work’s IT team to help monitor and avoid future threats.





Infosec Institute


Share this post

Close Menu