A Method of Social Engineering

The practice of Vishing (aka Voice Phishing) has been around for many years. Vishing is the act of using the telephone in an attempt to scam the user into surrendering private information that will be used for identity theft. The scammer usually pretends to be from a legitimate business. Over time, consumers have become complacent about sharing personal information over the telephone with companies they perceive to be legitimate. Criminals seize this opportunity to elicit information or influence an action by offering incentives such as tax refunds or rebates from service providers. In any of these examples, the consumer ends up losing money and the innocent brand impersonated in the attack has their reputation tarnished.

Common Vishing techniques

Wardialing

This is when the criminal uses an automated system to call specific area codes with a message impersonating local or regional banks or credit unions. Once someone answers the phone, a generic or targeted recording begins, requesting that the listener enter bank account, credit or debit card numbers, along with PIN codes.

Caller ID Spoofing

This is the practice of causing the telephone network to display a false number on the recipient’s Caller ID. A number of companies provide tools that facilitate Caller ID spoofing. VoIP has known flaws that allow for Caller ID spoofing. These tools are typically used to replace the Caller ID with that of a specific bank or credit union, or simply display the words “Bank” or “Credit Union”.

Social Engineering

Social engineering is a fancier, more technical form of lying. Social engineering (or social penetration) techniques are used to bypass sophisticated security hardware and software. The automated recordings used by vishers tend to be relatively professional and convincing.

Brand Impersonation by Phone

All of the unsolicited calls to general consumers are inevitably going to involve someone impersonating your brand. As this is a criminal activity your company and brand are innocent bystanders in this abuse. It will often continue without your knowledge until one of your valued customers brings it to your attention or posts it on a forum which you then see and can take action on.

How FraudWatch International combats Vishing

The FraudWatch International Security Centre is equipped with tools and processes which assist our highly trained personnel in identifying Vishing attacks for our customers. Any enforcement or takedown processes would typically involve our experts liaising with your legal team, the local law enforcement agencies and the carrier or service providers who are responsible for the telecommunications services used in the attack.