vishing (voice or VoIP phishing)

What is vishing (voice or VoIP phishing)?

Vishing (voice or VoIP phishing) is a type of cyber attack that uses voice and telephony technologies to trick targeted individuals into revealing sensitive data to unauthorized entities. The data might include personal information, such as a Social Security number or details about a financial account, or it might be related to a business setting. For instance, cybercriminals might use vishing to get an employee to reveal network access information.

The term vishing is a portmanteau created from voice and phishing. It is typically considered a type of phishing, which itself is a type of social engineering. Vishing is concerned with voice communication, whereas phishing typically relies on email communication. Vishing attacks are carried out against both individuals and businesses, usually for monetary gain, although it might be motivated by other objectives, such as political, competitive or retaliatory activities.

what is social engineering
Vishing is a type of social engineering concerned with voice communication.

What happens during a vishing attack?

Scammers who carry out vishing campaigns use an assortment of tactics to get their targets to divulge confidential information. They might call their targets directly or leave voice messages. They might play recorded messages or speak directly to their targets. They might precede their calls with a text message or employ some other mechanism to bait the perspective victims.

For example, a scammer might send a text message to a potential victim's phone number, suggesting that there is a problem with the person's bank account. This is followed by a voicemail message stating that the victim's bank account experienced suspicious activity and is now locked down. The message then instructs the victim to call a specific telephone number and provide information to "verify the customer's identity" or to "ensure that fraud has not occurred."

Vishing scammers commonly try to instill a sense of urgency or veiled threat when communicating with their victims. They use fear, excitement, greed and other emotional responses to get their victims to reveal confidential information before they have time to consider what they're doing. To this end, the scammers employ a number of techniques, such as the following:

  • They say they're calling from a financial institution, such as a credit card company, and there is a problem with the customer's account that requires immediate action.
  • They offer an exciting opportunity, such as an interest-free credit card or highly discounted merchandise, but the victim must act immediately to lock down this deal.
  • They impersonate a government agency, such as the Centers for Medicare & Medicaid Services or Social Security Administration, claiming that that there is a problem with the victim's account, such as money being owed, and that the individual must call immediately to resolve the issue.
  • They claim to be technical support technicians who are calling about an issue with the victim's system or service, indicating that it could lead to a more serious problem if not resolved immediately.
  • They tell the victim that a car warranty -- or warranty on something else -- is about to run out and the victim needs to act immediately to extend that warranty.
  • They announce that the victim has won a cash prize, but they need additional information for the victim to claim that prize.
Top cybersecurity training topics

These scams are only some of the ways that vishing is carried out. Cybercriminals use any available method to get their victims to reveal confidential data, and they go after anyone who can help them get that information, whether the victims are at home or in a corporate setting. Scammers have become quite savvy and sophisticated when carrying out these scams, and even the most tech-wary individual can get be victimized.

To make matters worse, cybercriminals are now executing more targeted attacks, using information that they gathered in advance to convince the victim of their authenticity. For example, the scammers might purchase confidential data on the dark web or from other sources, or they might conduct online searches about their potential targets, often gathering a significant amount of valuable details. The scammers then use this information to make themselves sound more credible when communicating with their victims and subsequently getting them to reveal even more secure information. A more targeted approach is often used when vishing people in business settings.

How do scammers carry out vishing attacks?

Today's technologies make it possible for cybercriminals to conduct massive vishing campaigns. One of the most important technologies is voice over IP (VoIP), a telecommunications system that uses high-speed IP networks to facilitate voice exchanges. Although VoIP is used extensively for legitimate business, cybercriminals are also taking ID spoofing advantage of the technology and its many features. With VoIP, they can carry out attacks without being detected, automate much of their operations and hide their locations or even keep moving locations.

Cybercriminals also use caller ID spoofing, the process of manipulating the displayed caller IDs to impersonate a legitimate source, such as a bank or government agency. In addition, they've begun to use machine learning to incorporate voice cloning into their operations. Voice cloning is a technique for simulating the voices of people who their victims might recognize, making targeted attacks far more effective and difficult to detect.

Vishing based on VoIP is extremely difficult for authorities to trace, and when combined with voice cloning, it's even trickier to stop. Furthermore, cybercriminals often outsource their vishing scams to individuals or organizations in other countries, which can render sovereign law enforcement powerless. Even if this were not the case, those in other countries are also taking advantage of technologies such as VoIP, adding yet another layer of challenges.

Whether at home or at the office, individuals should be suspicious of any unsolicited phone calls or voicemail messages they receive, no matter who appears to be calling. They should be especially wary of calls or messages that convey a sense of urgency, try to instill fear, ask for personal information or attempt to get the victim to take an action, such as calling a specific number. The majority of today's government agencies and financial institutions have clearly stated that they never call an individual to ask for personal or account-related information.

In most cases, users who suspect that they're under a vishing attack should simply hang up. If they believe a response is warranted, they should call the public phone number for the named institution to verify recent activity and to ensure that the account has not been tampered with. They should not call any numbers that might have been provided, nor should they respond to any prompts, whether by speaking or pressing a button.

See eight remote access security risks and six types of insider threats and how to prevent them.

This was last updated in March 2023

Continue Reading About vishing (voice or VoIP phishing)

Dig Deeper on Collaboration and communication security