V is for Vishing

First, a little background on the term vishing.  Vishing is a type of attack that combines voice (i.e. phone services) with traditional phishing techniques.  If you are unfamiliar with phishing attacks, please see my earlier article on this topic for a refresher.  Vishing has become more prevelent in recent years as VoIP services have made them far cheaper to conduct and far less likely that the perpetrator will get caught.  And not only have the attacks become more numerous, they are also becoming more sophisticated as well.

A traditional vishing attack usually starts with an email.  The email will appear to be from a banking institution or credit card company asking you to contact them by phone due to unauthorized charges, card/account reactivation or some other reasonable sounding explanation.  When you call the number provided you are typically greeted with an automated attendant that will request you to authenticate yourself by providing your card number, social security number and potentially other sensitive information.  Of course by doing so, you have just made yourself the future victim of credit fraud and/or identity theft.  Below is an example vishing email:

Recently these types of attacks have become even more complex.  They often leave out the email all together and use either text messaging or actual phone calls.  The calls can appear to be from a local number even though they may originate from anywhere in the world thanks to the magic of VoIP.  Typically these calls will go to your voice mail leaving you a message claiming to be your banking institution and asking you to call them using a number they provide in the message.  When you call you will get the automated attendant asking for authentication via your card number, etc.  You may even be greeted by a real person who may or may not be knowingly involved in the scam.  Some people have been recruited to answer these calls on behalf of what they believe is an actual bank or credit card company which makes the scam even more believable.

And if what I have described above was not alarming enough, vishing scammers have raised the bar to new heights of late.  To make their emails even more believable, vishers have been posting their fake telephone numbers against the names of the legitimate businesses to bulletin boards and other web sites in an attempt to associate those numbers with the customer support numbers for the banks they are targeting.  This combined with search engine optimization poisoning techniques can result in their fake number showing up with the highest ranking in a Google search for the bank’s customer support information.  Thus if someone received a vishing email but was suspicious about the number and decided to perform a search to find the customer service number of their bank or credit card company, they very well may find the fake number listed first in their search results.  Obviously this would give them an erroneous sense of security in the validity of the email as well as the number they are calling.  Very clever indeed.

If you ever receive an email or call of this type, always go to the bank’s web site directly or look in the phone book for their number.  Don’t rely on a search and definitely don’t call the number in the email or voice mail.  It’s the wild west out there, so keep your guard up.

Comments are closed.