VISHING 101

DEFINITIONS

WHAT IS VISHING?

Vishing (Voice Phishing) is a cyberattack technique used to extract sensitive or protected information from targeted victims through voice calls. The attacker(s) utilize a combination of social engineering tactics, spoofed (digitally altered) caller IDs, and personal information gained through public sources, social media, or harvested from prior data breaches, to support their impersonation and then manipulate the call recipient into a false sense of trust. When perpetrated on an employee or contact center agent (who may be particularly vulnerable when in a helpdesk, customer support, tech support, or accounts management position), the damage could be catastrophic when resulting in a breach with related loss of proprietary information, compromised customer personal identifying information (PII), hijacked accounts, financial theft, extortion, public relations fallout, and regulatory fines and/or class action litigation. Vishing attacks may target specific, high-value individuals or be part of a broader campaign of reconnaissance calling with the objective of finding, and compromising, any employee who takes the call.

HYBRID PHISHING/VISHING

This is a two-pronged spear-vishing approach using email and related live phone calls with duplicate messaging so victims are more likely to trust its legitimacy and level of urgency. The adversary, often working with a teammate, delivers an email to targeted employees with enough personal information to lend it credibility, and then follows that with an immediate phone call delivering the same message. An employee may be suspicious of one approach or the other, but when in combination, they provide a greater sense of legitimacy. Again, if a voice connection is made, the skilled criminal visher uses social engineering techniques to coerce the employee into divulging sensitive information and/or providing access to internal systems and data.

Callback Phishing

This is a hybrid, response-based callback phishing/vishing campaign that starts with an email blast to a targeted group with an urgent message that appears to be from a trusted source. The email includes a call-back number that, if used, connects the victim to an adversary’s co-conspirator call center agent trained to extract sensitive information from their victims. While employees have learned not to click on unfamiliar email links, and many know not to respond to requests from unsolicited callers, this scheme works because the target feels safer if the link is a phone number, not a webpage, and they are making, rather than receiving, the phone call.

AI-BASED VISHING

In this scenario, the criminal visher targets a specific internal group or demographic, usually starting with a robocall campaign carrying a pre-recorded message that has been AI-generated to match the voice of a trusted superior or colleague with an action request. Those that respond may be further targeted. This use of voice cloning (deep fake) technology is becoming more prevalent as user-friendly Generative AI applications are now readily accessible to the general public or sold in bootleg form through the Dark Web. The familiar voice not only gives the call greater credibility, but it may also evade detection by fraud prevention applications that depend on voice biometrics (analysis of audio qualities) to separate known callers from potential scammers. The continued advancement of GenAI technology gives rise to a whole new level of deep fake-enabled threats, including the capability for live vishing callers to transform their voice in real time to that of a trusted colleague or superior in order to convincingly engage and manipulate the call recipient.

Neighbor Spoofing & Enterprise Spoofing

These are two related types of illicit robocall campaigns using a spoofed (digitally altered) caller ID or Caller Name (CNAM) specifically modified to resemble a source familiar to the call recipient. The number or CNAM may be manipulated to resemble a familiar area code or business prefix number (Neighbor Spoofing”). In this case, the recorded message might impersonate an internal source, such as a member of technical support or human resources and request a call-back about a supposed issue that needs immediate resolution. The adversary can also modify the Caller Name (CNAM) to reflect an organization or agency familiar with the call recipient (Enterprise Spoofing) with a message requesting immediate call-back due to an urgent matter with, for instance, a corporate account, tax matter or legal issue. In either case, the criminal agent fielding any call-backs would then follow a script designed to extract personal information or login credentials.

Direct Call Enhanced by Social Engineering

An attack on a targeted individual from a live caller impersonating a trusted source. The threat agent uses personal information about their victim to boost credibility, then applies psychological manipulation to trick them into divulging protected information.

Vishing calls can also be perpetrated by an individual targeting specific employees that they have identified as particularly valuable conduits to internal systems or data. In these cases, the adversary, posing as a trusted internal source (technical support, human resources, upper management), has already armed him/herself with information about the targeted employee harvested from public sources, social media accounts, or purchased on the Dark Web, in order to establish credibility. They are skilled at impersonation and psychological manipulation (known as “social engineering”). Customer service and contact center employees are a favored target of these scammers, due to their mandate to answer calls and “need to help” mindset. New employees are also at risk as they are less familiar with organizational norms and players, and may be more deferential to a perceived superior. Remote workers, too, are attractive targets due to their physical isolation both from officemates and the protective barriers of corporate office firewalls.

Response-Based Vishing

An email appearing to be from a trusted source and including a call-back number that connects the victim to a co-conspirator call center agent trained to extract protected information from their target.

While employees have learned not to click on unfamiliar links and many know not to respond to requests from unsolicited callers, they may feel safer if the link is a phone number, not a webpage, and they are making, rather than receiving, the phone call. Per above, that phone call connects them to a criminal agent skilled at social engineering manipulative techniques designed to extract information that could provide access to the organization’s internal systems.

Spear Vishing

This term applies to a live call from a criminal impostor targeting a specific individual. The adversary is armed with personal information, not only about their target, but also about the person they are impersonating, to support the deception. A common example involves the attacker posing as IT technical support who tricks the victim into logging into a fake VPN page. Once the employee had logged in with their credentials, the adversary managing the fake page steals those credentials, logs into the actual corporate VPN, and either downloads as much internal data as possible or inserts network-destroying malware as part of a ransomware attack. Occurrences of this attack type have accelerated in response to the rise of a post-covid, remote workforce that depends on VPN access to company networks. New employees who have little familiarity with their colleagues and who may be predisposed to comply with requests from superiors are particularly vulnerable to this type of attack.

Voice Spam

The term voice spam is the blanket term that refers to any sort of unsolicited/unwanted phone call, whether simple nuisance or of criminal intent. Under the Voice Spam umbrella comes many forms of nuisance calls including telemarketing and computer-generated robocalls, as well as potentially dangerous scam and voice phishing callers intent on compromising human targets in order to steal data or funds.

Spoof Calls

A spoofed call carries a Caller ID that has been digitally altered to mask the actual source of the call. While sometimes used for legitimate purposes to protect the privacy of the caller, more often spoofed numbers are used by criminal impostors as part of their deceptions. In recent years the FCC has adopted a set of protocols know as STIR/SHAKEN designed to eliminate illicit robocalls using spoofed numbers, but cybercriminals continue to circumvent enforcement measures and the practice of illegal spoofing is still widespread.

Smishing

Smishing (SMS Phishing) is similar to vishing but perpetrated through text messages rather than phone calls. Smishing campaigns include text messages purporting to be from reputable companies used to induce individuals into revealing personal information, such as passwords or credit card numbers, either through a return text or by providing a click-to-call callback number.

Robocalls

Robocalls are auto-generated calls carrying a pre-recorded message. Appointment reminders, flight cancellations, and other informational calls are legitimate forms of robocalls. However, illegitimate players are leveraging Voice over Internet (VoIP) technology to generate thousands of robocalls to random numbers from an auto dialer using a spoofed (digitally altered) Caller ID. Their messaging, at best, is intended to elicit a purchase but, in growing numbers, is designed to lure the call recipient into a scam.

Autodial Robocall (Wardialing)

In this basic, automated vishing approach, the adversary, using a spoofed (digitally altered) Caller ID, delivers an urgent, pre-recorded message via auto-dialer to specific area codes or sequential numbers within the organization’s exchange range. The message appears to be from a trusted source such as a bank or government agency and includes a call-back phone number. If the recipient calls that phone number, they will be connected to a criminal call center agent. That co-conspirator, in turn, follows a script used to trick the caller into divulging protected information such as system credentials, or user information, or to take actions such as transferring funds to a fraudulent, criminal account.

voice

The most common, powerful, and immediate medium for human-to-human communication through audible spoken language.

voice channel

The communication delivery path dedicated to transmitting human voice communications between distant parties, primarily via phone connect.

VOICE NETWORK

The technology and infrastructure behind the voice channel used to digitalize and transport voice calls and related data across distances. The voice network includes wireless, landline, voice over internet protocol (VoIP) and voicemail, along with related transport circuits, switches, and endpoints (analog and IP telephones, Software-based soft phones, mobile telephones, etc.).

Telephony

The application of voice network infrastructure and technology to include electronic transmissions not only of voice, but other forms of digitalized communications including fax, text messaging, and video conferencing, through a range of devices (wired phones, mobile phones, computers etc.). Early telephony referred to voice and data communications carried over a wired, public switched telephone network (PSTN). Today, the integration of phone system software and computer systems (Voice over Internet Protocol) has led to what is more commonly referred to as Internet Telephony and is the foundation of most modern enterprise IT environments.

Telemetry

The automated collection, transmission, and measurement of data from remote sources in order to monitor performance, primarily of network systems and servers. Telemetry devices use communication systems to transmit their data back to a central location for analysis. The analysis of telemetry data is used primarily to monitor security, application health, quality, and performance of network systems and servers.

SMS/MMS

Short Message Service (SMS) is a service that enables the sending and receiving of text-based messages between mobile devices or from a computer to a mobile device via the cellular network. SMS is a form of text messaging that is limited to text only. MMS (Multimedia Messaging Service) is an expansion of SMS capabilities to include the transmission of text, photos, video, and audio files between mobile devices through the cellular network.

VOIP

Voice over Internet Protocol (or voice over IP) is the technology used to digitalize and transmit voice calls using a broadband Internet connection rather than traditional (analogue) phone lines. VoIP supports high quality, low cost, and highly scalable calling between remote locations and, in tandem with SIP signaling, is the foundation for today’s modern enterprise telephony systems. It is also the technology that has enabled the rise of mass robocall campaigns from untraceable overseas call centers, as well as the ability to “spoof” (digitally alter) the caller ID to mask the source of such calls.

SIP

Session Initiation Protocol (SIP) is a signaling protocol (set of rules) that enables the management of multi-media communications sessions (voice, video conferencing, and text chat/Instant Messaging) over the IP network. In the enterprise, SIP provides a direct connection between the organization’s IP Private Branch Exchange (PBX) and the public telephone network and is an essential component of a Unified Communications ecosystem.

SIEM

As a combination of Security Information Management (SIM) and Security Events Management (SEM), SIEM in the enterprise refers to an application that provides the ability to gather security data from information system components and present that data as actionable information via a single interface. A SIEM system can apply advanced user and entity behavior analytics (UEBA) through AI and machine learning to detect anomalous behaviors within the monitored systems that could indicate system vulnerabilities or an emerging threat before that activity can advance into business disruption.

EDR

Endpoint Detection and Response (EDR) is an endpoint security solution that continuously monitors end-user devices to define, detect, and report on anomalous behaviors consistent with potential cyber threats using AI, machine learning, and pattern recognition.

NDR

Network Detection and Response (NDR) refers to a security system that continuously monitors network activity, applying behavioral analytics to network traffic data in order to detect, and report, anomalous behavior in real time.

XDR

Extended Detection and Response (XDR) integrates SIEM, NDR, and EDR into a single platform. XDR refers to the continuous monitoring of all data inputs/endpoints as well as activity within enterprise networks for anomalous behaviors. These systems trigger actions when suspicious activity is detected and run cybersecurity incident response playbooks enabling effective threat mitigation. XDR is a proactive approach that allows security teams to identify hidden, highly-sophisticated threats based on correlating data from multiple sources in order to support early detection and effective defense.

MDR

Managed Detection and Response (MDR) services are third-party providers of network monitoring and security management, providing threat detection, incident response, continuous monitoring and analysis of IT assets.