You may have heard of this scenario on the news: Someone gets an urgent phone call from the IRS claiming they owe a large sum in unpaid taxes, and an officer will come to their door if they don't pay immediately. Caught in a state of panic, the target of the vishing attack immediately sends an electronic payment. When the victim eventually realizes their mistake, it's too late — their financial institution tells them that the money is gone.
What is a vishing attack?
A vishing attack is a type of phishing attack in which a threat actor uses social engineering tactics via voice communication to scam a target. The word "vishing" is a combination of "voice" or "VoIP" (Voice over Internet Protocol) and "phishing." The scammer may either try to convince a target to send them money or share any or all of the following sensitive information:
- Date of birth
- Credit card information
- Banking data
- Government-issued numbers (e.g. Social Security or Social Insurance)
Vishing vs. smishing vs. phishing
Vishing, phishing, and smishing: All three types of attacks only differ by the threat vectors they employ. Phishing has been around since at least the early days of e-mail, and both vishing and smishing are combinations of the word "phishing" and the communication method used. Vishing (voice phishing) occurs through voice communication, and smishing (SMS phishing) uses SMS text messages as an attack medium.
What is a social engineering attack?
Various forms of phishing, including vishing, can employ social engineering tactics. In terms of cybersecurity, social engineering is the manipulation of human emotions to reduce a target’s rational thinking to try to get them to complete a questionable action. Let’s look at some ways social engineering can strengthen a vishing attack:
- Fear: During an IRS scam, a scammer may scare a target into paying fake taxes with threats of imprisonment.
- Greed: A bad actor may tell a target about a fake lottery win and ask for a payment for the taxes and fees in advance.
- Love: Someone from a criminal gang may pose as a romantic partner to ask for money for air travel or an emergency. Often, such scams start on social media and later develop into vishing attacks.
- Anger: A scammer may manipulate anger by asking for donations against an unpopular political candidate, for example.
- Compassion: A fake charity may cold call people, hoping to collect money for a disaster, emergency, or another seemingly noble cause. Similarly, in a classic example of elder fraud, scammers may target the elderly by posing as their relatives or acquaintances on the phone.
How is vishing done?
Vishing works by marrying social engineering with voice communication tools. An attacker may employ robocalls, international phone numbers, or Voice over Internet Protocol (VOIP) software to launch an attack. Scammers can also send fraudulent text messages that direct victims to call them through links or phone numbers. Vishing can target individuals and organizations. A threat actor may use such an attack to gather intelligence from a company, for example.
Vishing attack example
Unfortunately, many people get caught in vishing scams every year. Often the threat of owing money to a government agency is convincing and scary enough for victims to pay. In the US, vishing scammers often pose as Internal Revenue Service (IRS) officers calling to collect taxes, threatening jail time if the victim doesn’t pay what they supposedly owe.
The same is true in Canada, where a number of Canadians have been “vished” by threat actors claiming to be the Canadian Revenue Agency (CRA). One victim of this scam described how he felt so stupid for falling for it, and said that was one of the hardest parts of the whole situation for him.
Sometimes, vishing attacks can famously backfire, like when Keniel Aeon Thomas of Jamaica picked the wrong target. The scammer probably thought he had an easy mark when 90-year-old William Webster picked up the phone. Thomas told Mr. Webster that he and his wife Lynda had won $15.5 million and a Mercedez-Benz. But before he could share the winnings with them, the Websters would need to send a $50,000 bank wire to cover the taxes. Little did the extortionist know that Webster was a former CIA Director, FBI Director, and a federal judge. The couple contacted the FBI so an agent could listen in on the calls, and ultimately, the scammer ended up serving time thanks to the Websters' quick thinking.
Unfortunately, most vishing stories don’t end as well. Before Thomas was sentenced, he had scammed 30 people out of hundreds of thousands of dollars. That’s why it’s important to recognize vishing or scam call attempts to protect yourself if you get the next call.
How to stop vishing
People who fall victim to vishing attacks can be well-informed of the risk, but simply caught off-guard. Threat actors change their tactics regularly to try to fool people in new ways. You may pick up a call during a busy day when the last thing you expect is a vishing attack, or the caller might use information that sounds familiar enough to be convincing. To stay alert and be ready if you get one of these calls, here are some things to remember:
- Pay attention to the caller’s tone. Scammers may also use a discourteous or impatient tone to imply urgency or create fear, unlike the trained employees from the organization they claim to represent.
- Stay calm and take a breath. Vishing attackers create a false sense of urgency by exploiting your emotions. Don't share any sensitive information over the phone without verifying the caller's identity. You can look their organization up and call them directly.
- Keep your guard up even if the caller has some of your information. For example, they may have gathered some of your publicly available data from the Internet, like your name, location, or IP address.
- Screen your calls with Caller ID and don’t pick up unknown or suspicious numbers. Wait for the caller to leave you a voice message to decide whether you should call back. Remember, many robocall scams follow a recognizable script.
- Exercise caution and simply hang up if you suspect that it's a scammer.
How do I report vishing?
In the US, contact the FTC and the FBI to report any vishing scams, or the appropriate law enforcement agency in your country. You can also call the organization a scammer is using to try to manipulate you, such as reaching out to the IRS if you suspect you are the target of an IRS scam. If the caller says they are with a certain organization, look up the official phone number for that organization and call them directly to ask about the calls.