Vishing is an Internet fraud method. Unlike phishing, it does not use emails or links to obtain sensitive information such as passwords or personal data of the victim but uses the personal conversation during a phone call. On the technical side, automated voice-over-IP calls with a falsified sender number are often used.
What is vishing?
The word “vishing” is composed of the English words “voice”, “password”, and “fishing”. Some sources mention “Voice over IP (VoIP)” and “phishing” as components of vishing. It is an Internet fraud method based on a personal telephone conversation between the attacker and the victim.
The aim is to obtain sensitive information such as login credentials, passwords, account details, or other personal data of the victim in order to use it for fraudulent activities.
Unlike phishing, however, the contact is not made via an e-mail or an Internet link, but via a telephone call. Victims of vishing can be private individuals as well as employees or managers of a company. During the telephone call, the person called is asked to provide sensitive data or to carry out transactions.
Attackers use surprise tactics, to invoke their authority, or build up subliminal pressure. On the technical side, VoIP technology is often used. In this case, contact is established via automated VoIP calls with a falsified sender number.
The process and the different methods of vishing
Vishing applies a combination of technical manipulation and emotional influence. VoIP technology is very well suited for automatically calling a large number of telephone numbers via a dialer at a low cost. Only when someone answers at the other end does the attacker personally join the call.
With relatively little effort, the sender numbers can be manipulated in such a way that the actual origin of the call is concealed. In some cases, victims are called specifically after prior research, for example in social networks. The previously collected information can be used to make the call appear more authentic.
Another vishing variant is the mass sending of e-mails with a telephone number or the insertion of a telephone number on Internet pages. The victim is asked to call the telephone number. Regardless of whether the victim calls or is called, the fraudster pretends on the phone to be, for example, an employee of the house bank, a support employee of a software company, or a representative of sweepstakes.
The attacker points out a problem with the bank account, wants to provide support for a technical problem, or informs about a prize. The victim is asked to provide account details, install software on the computer, provide sensitive data or transfer a fee to confirm a prize. Once the attacker is in possession of the data, he uses it for fraudulent activities such as bank transfers or identity takeover.
Emotionally, during the phone call, the attacker uses methods such as the catch-me-off-guard tactic or builds pressure through the urgency of a problem.
Protective measures against vishing
To protect yourself from vishing, the following measures are possible:
- Healthy distrust of unexpected telephone calls
- Call the caller back using a telephone number you have researched yourself
- Never mention sensitive data such as passwords or account details on the phone