What is Vishing in 2024?

A cyber threat made incredibly worse with the help of Generative AI, and the lack of acknowledgement of a very real threat vector.

In an FBI alert from 2017, Dan Larkin, then Chief of the Cyber Initiative and Resource Fusion Unit, explained the difficulty his unit was having bringing public awareness to an emerging and disturbingly more virulent form of phone scam. While the cybersecurity community had already coined the term “vishing” (voice phishing*) to distinguish these voice-based attacks from their email phishing counterparts, efforts to quantify occurrences were muddled due, in large part, to lack of consistent terminology.

“A lot of would-be victims are reporting this as SPAM or phishing,” he noted. “But we know it’s out there. It’s happening.”

It is, indeed, happening still, and at an increasingly rapid pace.

Welcome to the State of Vishing Circa 2024.

Vishing 101, a Refresher

Like email phishing (phishing) or SMS phishing (smishing), vishing (voice phishing) is another form of cybercrime tactic that uses a digital communication channel to remotely connect with, and coerce, unwitting human targets into a scam.

Instead of an email or website with virulent links, vishers perpetrate their schemes through a voice call. They are skilled at social engineering and psychological manipulation and often reinforce their deceptions with personal information harvested from social media or prior data leaks. The goal is to gain their victim’s trust and then trick that person into divulging otherwise protected information for criminal gain.

Account takeover, ransomware extortion, data exfiltration, fund transfers to illicit accounts – these are just a few of the lucrative deliverables at the end of a successful vishing attack.

Going for the Big Fish…a Threat to the Enterprise

In 2022, an estimated 68.4 million Americans fell victim to phone scams with losses totaling $39.5 billion. Yet, that pales in comparison to the annual $1.5 trillion netted by cybercriminals through attacks on businesses. According to TechRepublic, an individual threat agent can earn between $45,000 and $2.5 million per year just from the sale of data stolen in a successful breach. If the attack includes the deployment of ransomware, the payout may be in the tens of millions.

Whereas defrauding an individual might net a basic financial reward, a successful breach of a large, cash and data-rich corporation is by far the more rewarding endeavor as evidenced by a series of recent, highly-publicized voice-based attacks on the likes of MGM Resorts, Robinhood, and Twitter (X). All succumbed to the tactics of skilled criminal voice phishers targeting staffers in order to gain access to internal accounts and systems.

These schemes resulted in ransomware extortion, data breaches, and the significant legal, financial, and reputational fallout that followed. MGM’s losses alone have topped $100 million to date, not including expected significant damages from ongoing class action lawsuits.

The growing public outcry from those whose personally identifying information (PII) has been exposed through such attacks has helped elevate public awareness, with the Securities and Exchange Commission (SEC) also stepping in to demand greater transparency around cyber-attack reporting from publicly-held organizations.

While such exposure is important, it’s clearly not going to stop highly-motivated threat agents from finding ever more insidious ways to breach their targets and evade detection.

Top Enterprise Vishing Schemes

Today’s vishing campaigns directed at enterprise targets come in many forms, but they usually involve a criminal caller posing as a person in need of assistance. To that end, the threat actor will most likely be impersonating a colleague/associate or customer. Following are some typical scenarios:

Posing as an IT associate.
These fraudsters exploit the assumed authority IT departments have over access and management of an organization’s internal systems and networks. A common ploy is to compel an employee to disclose personal passwords or credentials for VPN access. Ironically, the victim is likely being told by the hacker that such actions are necessary to thwart an imminent security threat.

 Posing as a superior.
These attackers often target new employees who are more deferential to authority and can be easily identified through postings on their social media accounts. The threat agent poses as a superior in the organization and intimidates/compels the employee to take actions that, for instance, turn over funds or provide network-accessing credentials.

Helpdesk scam.
In this scenario, it’s the IT helpdesk associate who becomes the victim of the criminal visher posing as an employee or associate, calling for assistance with account access. If access is granted, the perpetrator may leverage that access to escalate the attack to higher value individuals in order to gain deeper penetration into the organization’s systems and networks.

Note that this was reportedly the scenario behind the 2023 MGM Resorts ransomware attack.

Callback vishing.
In this tactic, a vishing group delivers a recorded audio call to a range of employee exchanges. The caller ID is likely spoofed (digitally altered) to resemble an internal source. The recording carries an urgent message, often from a voice posing as a trusted source or executive, with a request to call back a specific number for details. Those who call back are connected to a co-conspirator agent trained to exploit the caller’s trust and extract data or network access information.

As a variation, vishing groups are using this tactic to flood healthcare organizations with auto-generated calls purporting to be from insurance companies or other agencies seeking account verification. These calls are reaching bedside phones of vulnerable patients who may be more easily conned into divulging personal information or fall into an extortion trap.

Customer Impersonation.
In these schemes, mostly inflicted on inbound call centers or financial institution support lines, the attacker poses as a customer calling for help with account access or IT support. The impostor has enough information harvested from both public and underground sources to pass common Knowledge Based Authentication (KBA) questions such as the last four digits of a Social Security number or mother’s maiden name, and is skilled at manipulating the helpful nature of their customer support victims. These attacks can result in an account takeover or access to an organization’s internal networks.

Note that contact centers, as the gateway to lucrative stores of data and financial resources, are seeing a significant surge in vishing activity over the past several years. Likewise, financial institutions are reportedly receiving upwards to 700 cyberattack attempts per week.

Recent Developments Add Potency to Vishing Attacks – Vishing is now Big Business

Vishing today is no longer an act of a lone perpetrator. We now see full-scale, multi-department underground criminal organizations working as a coordinated unit in order to identify targets, carry out the attack, and extract protected information. Specific roles include specialist trained to:

  • Gather intel/personal data harvested from public sources, social media, or stolen from prior hacks;
  • Serve as Initial Access Brokers who probe potential organizations for network vulnerabilities and then sell that knowledge to hacking groups;
  • Provide IT telephony software support used to set up phony customer service lines, spoof caller ID, program auto-dialers and more;
  • Provide customized coding for malware used in a ransom attack;
  • Serve as rogue carriers supporting illicit calling campaigns carried out under the radar of government regulators;
  • Carry out the actual live call utilizing social engineering and psychological manipulation to extract compromising information from the call recipient;
  • Take over once a network breach is achieved in order to quickly exfiltrate data and/or deploy ransomware;
  • Act as negotiators for terms of payment in the event of a successful ransomware deployment.

Material for False Identities at the Fraudster’s Fingertips

Social media, in all of its forms, is a rich source of personally identifying information (PII) that account users are unwittingly providing threat actors. Full names, birthdates, relatives’ names, work records, and job titles, all are easily searched and harvested to reinforce a fake identity. And, there’d be a good chance that anything not found on the Internet can be found for sale on the underground marketplace.

The past few years have seen an explosive growth of PII for sale on the Dark Web. Just this past March, telecom behemoth AT&T disclosed that more than 70 million records of current and former customer personal data, including names, addresses, social security numbers and passwords, had been leaked to the Dark Web, adding to the already 8 billion stolen records amassed from other hacks to date. As this stockpile continues to grow, it serves not only as a continued source of income for hacking organizations feeding into it, but also as a valuable resource for criminal impostors.

 

The Weaponization of GenAI

Perhaps the most significant development impacting both voice threat tactics and voice threat defense is the sudden emergence of commercialized Generative AI (GenAI) software applications.

Synthetic content-generating platforms like Chat GPT have been touted for their promise to stimulate creativity, drive efficiency, and speed innovation. Now available to the masses in user-friendly formats, they also carry unforeseen consequences when criminal deceivers are given tools to quickly and easily create auto-generated social engineering campaigns with interactive scripts, deepfake videos, and voice clones to boost the effectiveness of their deceptions.

What’s more, easy access to these web-based applications has spawned a whole new generation of aspiring hackers anxious to reap the benefits of cybercriminal activities with little risk, training or experience required. It is likely no coincidence that phone-based attacks have seen a whopping 1,265% increase since the 2022 launch of ChatGPT.

One Thing Has Not Changed: The Liability of the Breachable Human

There is one consistent element behind every successful breach enabled through vishing: The vulnerability of the human at the other end of the call.

Vishing is a crime of opportunity. And it is the human victims themselves who open the door to those criminal opportunists. Despite growing awareness of cybercrime threats, it appears human resolve is no match for the power of persuasion when wielded through the power of voice.

A joint study by Stanford University Professor Jeff Hancock and security firm Tessian found that 88% of data breach incidents are caused by employee mistakes. An IBM study puts it at 95%

What’s more troubling, it appears many of these employee enablers recognize the potential threat but participate in risky behavior anyway. From Proofpoint’s 2024 State of the Phish survey of 7,500 working adults:

  • 71%, report they engaged in actions that they knew were risky.
    Worse, 96% were aware of the potential dangers.
  • 58% of these users admitted they acted in ways that exposed them to common social engineering tactics. 

The fact is, humans, particularly when under work pressures and performance measures, may choose expediency over caution when solving problems for their callers. While training is still important, it is clear that human nature makes for a flawed defense against the psychological power and technical sophistication of criminals who have mastered use of the voice connect as their secret weapon.

Vishing: What’s Ahead

Despite the amount of alarming evidence exposing vishing as a clear and growing danger, the steady drumbeat of public exposures has also brought vishing awareness into the forefront of public consciousness.

Forward-thinking organizations that recognize the unique challenges of the voice phishing threat should, therefore, be equally aware that an adequate defense must be launched from multiple angles and multiple disciplines combining both policy and technology.

No doubt employee training is still an important component of these organizations’ cybersecurity defense strategies. But with today’s fluid workforce combined with the ever-evolving threat landscape, a strategy based on using employees themselves as human shields is not only flawed – it’s dangerous – to the employees, to their organizations, and to the customers they serve.

Stop Vishing, Today! Enterprise Security Tools are Available.

With the current state of voice-based threats, organizations must now focus on building a technology-based front line of defense starting further up on the attack chain.

Just as developments like Voice over Internet (VoIP) and now, GenAI, underlie the sophisticated voice-based cyberattack tactics applied by today’s new breed of cybercriminals, they are also yielding new and more effective tools of defense. Voice signaling analytics, call pattern recognition, machine learning, AI-enhanced big data analysis – all are now empowering the effectiveness of applications-based firewalls like Mutare’s Voice Traffic Filter (VTF).

When applied at the network edge, VTF is capable of detecting, and deflecting, the vast majority of nuisance and malicious callers before they ever have an opportunity to impact network performance or reach, and potentially breach, a human endpoint.

Mutare’s Voice Traffic Filter can be deployed alone or in concert with other contact center/enterprise fraud-detection applications and platforms (on-premise or cloud-based) to create a synergistic wall of defense.

Note that the overarching construct for a multi-layered threat defense strategy will vary depending on the nature of the organization, its callers, and its IT infrastructure. It is no wonder businesses are struggling when it comes to consensus on voice threat defense as there is scant precedent and little guidance.  

Best Practices for Voice Cybersecurity

Mutare has taken the lead in releasing its Foundational Best Practices for Voice Cybersecurity.

This document taps into Mutare’s deep experience with enterprise voice network security and thought leadership. It clarifies the steps organizations must take to incorporate voice into their enterprise risk management strategies with task details broken down by those business units most impacted: IT, Risk Management/Cybersecurity, and Contact Center.  

The Foundational Best Practices for Voice Cybersecurity is part of Mutare’s mission, not only to empower better, safer enterprise voice communications through technology, but to also share our expertise accumulated in that process with our customers and the business community at large so that they, in turn, can do the same.

Learn more?

Click Here to learn about the second inaugural Vishing Awareness Week

Click Here to download Mutare’s fully-detailed Foundational Best Practices for Voice Cybersecurity

* “VoIP phishing” can also be used as an expanded term behind the “vishing” portmanteau.

VoIP, or Voice over Internet Protocol, is the technology used to replace legacy, wire-based analogue phone communications with modern, digital, Internet-based networks. While enabling high quality, high-scale, low-cost voice communications from anywhere in the world and from any Internet-connected device, this technology is also foundational to the emergence of illicit phone calling campaigns generated from untraceable sources under the anonymity of spoofed caller IDs – or, in a nutshell, Vishing.