If you thought there was only one kind of phishing attack, you’d be wrong. There are a handful of types and “vishing” is becoming increasingly common. To understand vishing, a definition of phishing itself is in order.
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.
Wikipedia quoting Handbook of Information and Communication Security.
Most of the time when we think about phishing we think about “electronic communication” as referring to email or the web. But there is another form of electronic communication fraudsters are using for phishing: voice telephone calls. That’s the “vishing”.
The idea behind vishing is virtually identical to traditional phishing – use social engineering to try to convince the victim to disclose potentially confidential information.
Some preparation is required: one can purchase lists of names and corresponding phone numbers on the dark web fairly inexpensively (or so I’ve heard). It is also easy to copy the look of a website using tools such as wget. A programmer can readily create a malicious backend for a website if the user interface has been copied.
Now consider the perpetrator making a phone call to the potential victim. He or she may call the potential victim directly or (and this seems to be a common characteristic of the attack) the caller’s “caller-id” information may be spoofed to be something the callee is likely to answer. That could be a bank, a large retailer, or a computer hardware or software company. I routinely receive calls to my cell where the caller-id matches my number’s area code and exchange. I generally ignore those calls as I suspect they may be vishing.
If the potential victim answers, the caller could explain (using the callee’s name, potentially) that there is an issue with an account so the business (a bank perhaps) has set up a special site to address it. The potential victim is directed to contact the site and change a password or answer a security question or two. This is not fundamentally different from an email phishing attack! There is the lack of a link to hover over to verify, but the caller can try to explain that away.
First and foremost, don’t go to the sites these people promote. If you need to change a password, follow a bookmark or type in the actual site URL.
As I mentioned above, I also generally avoid answering telephone calls when I do not know the number. There are a couple of exceptions to this (e.g. clients with many numbers), but I try to follow it as a rule.
Another option is to let everything go to voicemail – the attacker is less likely to be persuasive in a recording and may just decline to leave a message at all.
There will likely be over one and a half million unique phishing attacks this year alone. I cannot guess how many will be vishing, but it will likely be a significant amount, if the reports I have been reading are correct. Don’t be a victim: never go to a URL from a phone call or email; go to the official URL of the desired organization. Period.