Vishing

At Social-Engineer, we define vishing as the practice of eliciting information or attempting to influence action via the telephone. Vishing, also known as voice phishing, is a dangerous attack vector. In fact, according to a recent report from the Federal Trade Commission (FTC), the phone is the top way that scammers reach us. And when scammers contact us by phone, they have a high success rate. In 2021 alone, TrueCaller reports that Americans lost $29,800,000.00 to phone scams.

The goal of vishing is to obtain valuable information, contributing to the direct compromise of a target. Attackers may “spoof,” or fake, their outgoing phone number to add authenticity to their attack. Additionally, some bad actors may use voice changers to conceal their identity. They may also use artificial-intelligence based software to mimic authentic voices. In their attacks, bad actors may pose as an authority figure, technician, or fellow employee. In this article, we’ll look at social engineering tactics that malicious actors use, examples of vishing attacks, and how adversarial simulators use vishing in security audits.

NOTICE: Never use this information to perform illegal acts! The purpose of the Social Engineering Framework is to help ethical social engineers learn the skills they need in their adversarial simulation jobs. We also discuss these details to educate organizations about possible social engineering attacks. This will help organizations decide which services may help them defend against these attacks.

Vishing Frontline Employees—Customer Service Representatives, Help Desk and Tech Support Personnel

Criminals often seek out customer service representatives (CSR’s) and help desk/tech support personnel, because their “help” training make them vulnerable to vishing attacks.

Vishing
Image: Microsoft 365 Blog

Attackers usually obtain phone numbers from an organization’s website, in addition to any specific routing emails used for customer support. Criminals can also cull company information from social media platforms and other open-source intelligence gathering (OSINT). Attackers may call from a spoofed, blocked, or private phone number. These attackers may try to gain the following information:

    • Email address,
    • Manager name/contact information,
    • Company hierarch information,
    • Direct phone numbers,
    • Employee titles and/or ID’s,
    • Addresses,
    • Social Security numbers,
    • User credentials, or
    • Any information about the technology or processes a company uses.

Of course, this is not a complete list. There may be other data that malicious attackers may target.

With the information that they obtain, criminals may impersonate in-house tech support to target a company’s employees. They may use real or made-up network speed issues, or problems with badging. They’ll use technical jargon to convince the employee that it’s “ok” to supply their company ID or badge number, first and last name, job title, and even social security number.

Vishing and Social Engineering Tactics

When malicious actors call, they often employ social engineering tactics to trick their targets into giving away sensitive information. Let’s look at a few of these tactics in more detail.

Deliberate False Statement

In a deliberate false statement, a bad actor knowingly says things that are not true. This is done so that the employee they are targeting feels compelled to correct the statement. In doing so, the employee unwittingly supplies information that the bad actor can now use to craft an attack. For example, a bad actor may say “I have your primary email address listed as [email protected].” Many times, a person’s initial reaction is to correct the false statement saying, “No, it’s [email protected].”

Influencing Emotions

Malicious attackers may create scenarios to elicit emotions such as fear or curiosity, as well as sympathy and helpfulness; emotions which are often intertwined. For example, a malicious attacker may begin the phone call with the statement, “I really need your help,” or, “I’m hoping you can help me.” The target feels sympathy, relating to the feeling of needing help, and now wants to be helpful. Though simple, this tactic is remarkably effective. You can watch a professional social engineer use this tactic to raise awareness of its effectiveness here.

Quid Pro Quo

A malicious attacker may also use a tactic known as quid pro quo. This is a Latin phrase which basically means giving something to get something in return. In a vishing attack, a malicious attacker may use this tactic by offering IT (Information Technology) help in order to get user credentials. For example, a malicious attacker may call all the direct phone numbers of a company that they find. They’ll impersonate IT personnel and offer IT help to each target. If just one employee needs help and gives their credentials in order to receive it, the bad actor is successful.

The Mumble Technique

The mumble technique is exactly what it sounds like. A bad actor mumbles a response to a question in hopes the call center agent will allow it to suffice. Criminals may also use the mumble technique to impersonate an impaired customer or as a person calling on their behalf. In this report, online information brokers used the mumble technique to successfully target employees of Verizon Wireless. The result? The online brokers were able to obtain thousands of private cell phone records which they then sold.

In addition, many bad actors leverage rapport building techniques. You can read about those techniques, as well as dive deeper into tactics we have already discussed here.

Vishing Examples

Below, we list a few examples of recent vishing attacks. Notice how malicious actors use social engineering tactics, along with technology, to influence their target and appear legitimate.

Twitter

In the summer of 2020, Twitter became the target of a coordinated vishing attack. By impersonating internal Twitter employees, attackers made vishing calls to Twitter’s tech support and consumer services employees. The attackers’ instructions were simple, “we need you to reset your password.” A few employees were duped and followed the instructions. As a result, attackers gained valuable credentials such as usernames, passwords and multi-factor authentication codes. With these credentials, the attackers could now access the Twitter’s back-end and start collecting information. Ultimately, this vishing attack led to the hijacking of high-profile Twitter accounts.

GoDaddy

In a 2020 report by Brian Krebs, GoDaddy support employees apparently became the target of a vishing attack. During the attack, bad actors were able to assume control of at least a half-dozen domain names, including the transaction brokering site escrow.com. According to Krebs’ report, the attack on escrow.com redirected to an IP address in Malaysia that hosted other domains, including the phishing website servicenow-godaddy.com. This suggests, according to Krebs, that the attackers behind the incident succeeded by calling GoDaddy employees and convincing them to use their employee credentials at a fraudulent GoDaddy login page.

Artificial Intelligence (AI) Used to Mimic CEO’s Voice

In 2019, the CEO (Chief Executive Officer) of a U.K.-based energy firm thought he was speaking to the CEO of the firm’s German parent company. What convinced him? He recognized his boss’ slight German accent and the melody of his voice on the phone. In this situation, impersonating an authority figure, and using AI to mimic his voice, gave the attacker enough credibility to extract $243,000 from his target. You can read more about it here.

COVID-19

The fear, anxiety, and uncertainty around COVID-19 supplied the perfect cover for vishing scams. COVID-19 contact tracing and testing scams dominated the landscape for 2020 and 2021. As reported by First Orion, phone scammers were able to get 270% more personal information in 2020 than they did in 2019.

Tech Support

In 2018, people reported losing over $55,000,000 in tech support scams according to the Federal Trade Commission (FTC). Which companies are impersonated most often? The well-known giants Apple and Microsoft.

Apple

In 2019, this vishing scam targeting iPhone users started making the rounds. What made this vishing scam so dangerous? The scam begins with an automated call warning of a data breach, no doubt instilling anxiety and/or fear in the recipient. In addition, the automated call displays Apple’s real customer support phone number and logo. Because of the high threat the scam poses, iPhone users are cautioned not to answer calls from Apple unless they have requested one using the official Apple online support page.

Microsoft

In the beginning of 2020, Microsoft announced the end of support for Windows 7. Using the quid pro quo tactic, criminals were quick to take advantage and start vishing for victims. Known as the “Expiring License” scam, criminals call to suggest upgrading to Windows 10 or simply to let you know that the license is expiring. Of course, their intent is anything but helpful. The goal is to gain remote access to victims’ computers and thereby access to banking information and login credentials.

Vishing and the IRS (Internal Revenue Service)

Vishing scams continue to top the IRS’ dirty dozen list of annual tax scams due to their pervasive and persistent nature. In the 2021 dirty dozen list, the IRS reports that vishing scams relating to federal tax liens are on the increase. What makes these scams so successful? First, malicious actors are targeting the natural anxiety and/or fear that most feel when interacting with the IRS. Second, they may use phone spoofing and refer to fake IRS badge numbers to make their calls seem legitimate.

Fortelus Capital Management, LLS

In July 2015, the CFO (Chief Financial Officer) of Fortelus Capital Management LLP, a London-based hedge fund, received a phone call just as he was about to leave the office for the weekend. The caller named himself as a financial representative from Coutts, the hedge fund’s bank. The caller told the CFO of 15 suspicious charges on the company’s account that should at once be cancelled. The CFO agreed to generate codes from the bank’s smart card security system to help the caller with the removal of the “fraudulent” charges. The CFO, thinking he had solved the problem, hung up shortly after 6 pm and left for the weekend.

The following Monday, when the CFO logged in to the company’s bank account, he discovered that £742,668 (that’s $1.2 million USD) had been withdrawn from the organization’s account.

Why Adversarial Simulators Use Vishing in Security Audits

Adversarial simulators primarily use vishing in security audits for the following purposes:

    • Simulated attacks are an effective way to assess vulnerabilities.
    • Extensive reporting provides actionable data about employee responses to various vishing attack scenarios.
    • Determining which departments or employees are most susceptible helps focus training efforts.
    • Development of a continuous assessment and training process can successfully combat vishing attacks.

Professional adversarial simulators use the following equipment and methods when simulating a vishing attack:

    • Phone line, land line, cellular phone, burner phone, or voice over internet protocol (VoIP) phone.
    • Spoofing technology—software, service or self-served.
    • Pretext—know who you are impersonating so that you are comfortable conversing and answering questions.
    • Flag/goals—know what information you need to obtain and the questions you can ask to elicit that information.

Vishing attempts are difficult to monitor and trace, and attackers are increasingly using this attack vector to extract information and compromise organizations. Employees in customer service, sales and HR (Human Resource) departments are highly vulnerable to these types of attacks. Security audits that include simulated attacks using live vishers, such as the Managed Vishing Service, are an effective way to assess vulnerabilities. Indeed, the best way to ensure lasting behavioral change is to teach employees how to recognize and respond to vishing threats. After all, it only takes one vishing attack to potentially devastate an entire company.