What is Vishing?
Updated: Oct 22, 2021
‘Vishing’ is a social engineering attack vector that uses the telephone (phone) network as a method to target potential victims. This is similar to how email is used for phishing attacks.
An attacker will often ‘spoof’ a genuine number for a business or organisation resulting in their outbound call showing as originating from said number – which could be a mobile or fixed landline phone number.
What is social engineering?
Social engineering attacks, like Vishing, aim to either coerce victims to disclose information to the attacker, or to get them to perform an action. An example of this would be where an attacker impersonates an online retailer or institution – i.e. a bank - and requests the victim to perform a task such as logging on to a banking portal and transferring funds, or disclosing personal or sensitive information to the attacker that can be used by them in a later attack.
Most social engineering attacks include urgency as a key driving force behind the hacker’s engagement with the victim, often citing deadlines, a situation requiring immediate action or another form of social pressure.
How does a Vishing attack impact its victims?
Vishing is similar to email phishing but can feel even more direct and personal - causing those who fall prey to the attacks to feel cheated.
People can be targeted by attackers for both financial gain and for information disclosure that can be used in further, deeper attack scenarios – for example, high net worth (HNW) individuals might fall victim to greater-impact cyber attacks as a result of associated information having previously been disclosed through a prior Vishing attack to them or members of their immediate social or commercial circle.
How does Vishing work?
Vishing attacks can be performed using industry-standard open-source software upon almost any public switched telephone network (PSTN) or SIP trunk. Leveraging these networks a fraudster spoofs their originating number (known as a Presentation number in the UK). Their spoofed calls are then sent through the telephone system which requires little verification (due to its inherently insecure design) and ultimately presents the false caller ID to the victim. The attack requires minimal cost and effort for the attacker.
Once initial trust is gained from the victim, the attacker typically uses social engineering techniques to extract information from them or asks them to action specific tasks, such as:
Accessing one of their online retail accounts in order to disclose their personally identifiable information (PII); Recent transactions etc.
Readout their personal bank login data; or – even worse - to transfer funds ‘away from a compromised account.’
HMRC – Other PII/Finance data disclosure that is blended with other victim information to orchestrate a larger and more impactful attack at a later date,
What are “callback hooks”?
Attackers may also use a call back number sent through via SMS, Email or a recorded message requiring the victim to call the number back – after which they are duped into providing personal information. For large-scale scams, professional fraud rings may go to the extent of employing an answering service or fully-staffed call centre to emulate a trusted source.
Does Vishing Work Internationally?
Yes.
The presentation number used for this type of attack is transferred to the victim’s phone regardless of their geographic locale.
Did CovertSwarm support the BBC with their vishing investigations?
Yes.
CovertSwarm were engaged by the BBC during the summer of 2021 to help them with their investigations into the risks and mitigation of Vishing attacks.
How CovertSwarm helps protect and educate our customers
CovertSwarm delivers constant cyber attack services to its global client base. We are ethical hackers who close the Cyber Risk Gap left behind by traditional ‘point in time’ Penetration Testing and Red Team approaches.
By discovering and raising awareness of what cyberattacks are uniquely possible against our clients, we can help better protect their systems, intellectual property and support their defence strategies against real-world threats from malicious hackers.
We challenge and test the security of clients’ systems, constantly. One of the many techniques we employ to ethically breach our customers is by performing call spoofing and pretending to be someone else. This technique is commonly called ‘social engineering' in the cyber industry.
Through this approach, CovertSwarm’s customers become educated to the art of the possible and raise their guard and defences against such nefarious approaches.
What steps are being taken to mitigate Vishing?
Ofcom and the ICO are working with Telco providers to reduce the number of spoofed calls being placed on the telephone network by raising awareness with consumers and through the establishment of a strategic identified numbers list which should only be permitted to place incoming calls, known as a “Do Not Originate List.” This is in addition
to additional “protected number” and “blocking” lists which are known to have been made from sources found to have generated a large number of nuisance calls.
In May (2021, Huw Saunders, a Director at the UK regulator Ofcom, stated that the current UK phone network was being updated to a new system (Voice Over Internet Protocol), which should be in place by 2025. Saunders said, "It's only when the vast majority of people are on the new technology (VOIP) that we can implement a new patch to address this problem [of Caller ID spoofing]."
https://www.bbc.co.uk/news/business-56934517
Providers of the phone lines that enable spoofing to take place are also starting to conduct more due diligence on their customers – but more needs to be done to tackle what has become a global issue.
Furthermore, fraudsters and malicious hackers will continue to adapt their attacks to bypass controls.
The overarching and best mitigation to protect yourself is to never trust any inbound call, especially when the caller asks you to provide information or take an action that is unexpected or likely to involve financial loss or PII disclosure. Always call the party you believe to be calling you on a publicly listed central phone number to confirm the validity of their request.
Ofcom and the ICO continue to collaborate to reduce the number of spoofed calls and are helping to raise awareness amongst consumers via a joint action plan that was listed in 2020: https://www.ofcom.org.uk/__data/assets/pdf_file/0034/194974/nuisance-calls joint-action-plan-2020.pdf
Telcos continue to raise awareness of the issue via various online and televised campaigns:
https://btbusiness.custhelp.com/app/answers/detail/a_id/55096/~/scams%3A-how-to protect-yourself-from-scam-calls-and-phishing-emails
Thoughts to arm consumers and businesses to protect themselves against Vishing
The golden rule is to never trust the number you are being called from as it can be spoofed so easily. If you receive a call and are asked to take any form of action, especially if it involves money or to provide personal/sensitive information then politely hang up the call.
The next step is to verify the number from a known, trusted source such as the company’s website or the back of your credit/debit card (assuming a bank or building society tried to call you.) Call the company listed - so that it is you that initiated the call.
IMPORTANT NOTE: If using a landline, always dial back from a DIFFERENT phone line as there is an attack where the original caller can hold the line open despite it appearing that they have hung up.
Some modern smartphones include technology that warns of a potentially spoofed incoming call.
Do not rely on the Caller ID or Phone number being presented to establish trust with the caller;
Limit the information shared about you online, for example by not sharing email or phone numbers on social media;
Trust no one online
Do not click on links, dial numbers or call back missed numbers that you do not recognise – instead always use a trusted source to obtain the correct number for the calling company: for example by using the number listed on their website; or use the number on the back of your credit card if the call involves your bank’;
Verify and Validate
If you suspect the call is fraudulent call the correct number back from a separate device, e.g. another mobile or landline.
Take your time to validate the caller’s identity - frequently fraudsters will use urgency to help progress their attack. A genuine caller will allow time for these checks to be performed, e.g. call back or additional verification for the customer.
If you like this blog post, find more content in our Glossary.