Vishing
Encyclopedia
Vishing is the criminal practice of using social engineering
over the telephone system, most often using features facilitated by Voice over IP
(VoIP), to gain access to private personal and financial information from the public for the purpose of financial reward. The term is a combination of "voice" and phishing
. Vishing exploits the public's trust in landline telephone services, which have traditionally terminated in physical locations known to the telephone company, and associated with a bill-payer. The victim is often unaware that VoIP makes formerly difficult-to-abuse tools/features of caller ID spoofing
, complex automated systems (IVR
), low cost, and anonymity for the bill-payer widely available. Vishing is typically used to steal credit card numbers or other information used in identity theft
schemes from individuals.
Vishing is very hard for legal authorities to monitor or trace. To protect themselves, consumers are advised to be highly suspicious when receiving messages directing them to call and provide credit card or bank numbers. When in doubt, calling a company's telephone number listed on billing statements or other official sources is recommended instead of calling numbers from messages of dubious authenticity.
There is technology that monitors all public switched telephone network
(PSTN)-based traffic and can identify vishing attempts as a result of patterns and anomalies in call activity. One example is multiple calls from a limited set of skype numbers to call centers.
Although the use of automated responders and war dialers is preferred by the vishers, there have been reported cases where human operators play an active role in these scams, trying to persuade the victims. According to a study conducted during 2009 on data collected from United States customers, the most recurrent words used in automated, recorded scams are different from those leveraged by human scammers. For instance, it is very frequent that automated voices contain words such as "press" (a button) or "number", while humans typically resort to more complex social engineering techniques.
(In a common variation, an email "phish" is sent instead of war-dialing - the victim is instructed to call the following phone number immediately and credit card or bank account information is gathered)
Another variation encourages a victim to install Scareware
on an unrelated computer system at the same address as the Phone connection.
Social engineering (security)
Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information...
over the telephone system, most often using features facilitated by Voice over IP
Voice over IP
Voice over Internet Protocol is a family of technologies, methodologies, communication protocols, and transmission techniques for the delivery of voice communications and multimedia sessions over Internet Protocol networks, such as the Internet...
(VoIP), to gain access to private personal and financial information from the public for the purpose of financial reward. The term is a combination of "voice" and phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
. Vishing exploits the public's trust in landline telephone services, which have traditionally terminated in physical locations known to the telephone company, and associated with a bill-payer. The victim is often unaware that VoIP makes formerly difficult-to-abuse tools/features of caller ID spoofing
Caller ID spoofing
Caller ID spoofing is the practice of causing the telephone network to display a number on the recipient's Caller ID display that is not that of the actual originating station. The term is commonly used to describe situations in which the motivation is considered malicious by the speaker or writer...
, complex automated systems (IVR
Interactive voice response
Interactive voice response is a technology that allows a computer to interact with humans through the use of voice and DTMF keypad inputs....
), low cost, and anonymity for the bill-payer widely available. Vishing is typically used to steal credit card numbers or other information used in identity theft
Identity theft
Identity theft is a form of stealing another person's identity in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name...
schemes from individuals.
Vishing is very hard for legal authorities to monitor or trace. To protect themselves, consumers are advised to be highly suspicious when receiving messages directing them to call and provide credit card or bank numbers. When in doubt, calling a company's telephone number listed on billing statements or other official sources is recommended instead of calling numbers from messages of dubious authenticity.
There is technology that monitors all public switched telephone network
Public switched telephone network
The public switched telephone network is the network of the world's public circuit-switched telephone networks. It consists of telephone lines, fiber optic cables, microwave transmission links, cellular networks, communications satellites, and undersea telephone cables, all inter-connected by...
(PSTN)-based traffic and can identify vishing attempts as a result of patterns and anomalies in call activity. One example is multiple calls from a limited set of skype numbers to call centers.
Example
- The criminal either configures a war dialer to call phone numbers in a given region or accesses a legitimate voice messaging company with a list of phone numbers stolen from a financial institution.
- Typically, when the victim answers the call, an automated recording, often generated with a text to speech synthesizerSpeech synthesisSpeech synthesis is the artificial production of human speech. A computer system used for this purpose is called a speech synthesizer, and can be implemented in software or hardware...
, is played to alert the consumer that their credit card has had fraudulent activity or that their bank account has had unusual activity. The message instructs the consumer to call the following phone number immediately. The same phone number is often shown in the spoofed caller ID and given the same name as the financial company they are pretending to represent. - When the victim calls the number, it is answered by automated instructions to enter their credit card number or bank account number on the key pad.
- Once the consumer enters their credit card number or bank account number, the visher has the information necessary to make fraudulent use of the card or to access the account.
- The call is often used to harvest additional details such as security PIN, expiration date, date of birth, etc.
Although the use of automated responders and war dialers is preferred by the vishers, there have been reported cases where human operators play an active role in these scams, trying to persuade the victims. According to a study conducted during 2009 on data collected from United States customers, the most recurrent words used in automated, recorded scams are different from those leveraged by human scammers. For instance, it is very frequent that automated voices contain words such as "press" (a button) or "number", while humans typically resort to more complex social engineering techniques.
(In a common variation, an email "phish" is sent instead of war-dialing - the victim is instructed to call the following phone number immediately and credit card or bank account information is gathered)
Another variation encourages a victim to install Scareware
Scareware
Scareware comprises several classes of scam software with malicious payloads, or of limited or no benefit, that are sold to consumers via certain unethical marketing practices. The selling approach uses social engineering to cause shock, anxiety, or the perception of a threat, generally directed at...
on an unrelated computer system at the same address as the Phone connection.
External links
- vnunet.com story: Cyber-criminals switch to VoIP 'vishing'
- BBC News story: Criminals exploit net phone calls
- The Paper PC: Messaging Security 2006: Vishing: The Next Big Cyber Headache?
- The Register: FBI warns over "alarming" rise in american "vishing"
- Phone Phishing: Phone Phishing - The First Phone Phishing and Scams Report Site
- Anti Vishing: Anti-Vishing Video featuring excerpt from BBC Watchdog program