In the News

Vishing Explained: How Voice Phishing Attacks Scam Victims

Jun 1, 2020 CSO

Vishing (voice phishing) is a form of attack that attempts to trick victims into giving up sensitive personal information over the phone.

What is vishing?  

Vishing is a form of attack that attempts to trick victims into giving up sensitive personal information over the phone. While that makes it sound like an old-fashioned scam, vishing attacks have high-tech elements: they involve automated voice simulation technology, for instance, or the scammer may use personal information about the victim harvested from earlier cyberattacks to put them at ease.

No matter what technology is used, the setup for the attack follows a familiar social engineering script: An attacker creates a scenario to prey on human emotions, commonly greed or fear, and convinces the victim to disclose sensitive information, like credit card numbers or passwords. In that sense, vishing techniques mirror the phishing scams that have been around since the 1990s. But vishing calls exploit the fact that we’re more likely to trust a human voice — and may target the elderly and technophobic who are naive and have no experience with these types of scams.

Vishing statistics

These notable numbers offer a sense of the state of vishing and why it can be a lucrative business for attackers.

  • Vishing attacks have been on the rise over the past few years. In 2018, scam calls represented nearly 30% of all incoming mobile calls.
  • So it shouldn’t come as a surprise that this weird term is starting to be more widely recognized. Proofpoint’s 2020 State of the Phish report found that 25% of workers in their worldwide survey could correctly define the term.
  • 75% of scam victims report that vishers already had some personal information about them, which they used to target them and get yet more information.
  • Of people who report government imposter vishing scams to the FTC, only 6% had actually lost money — but those who did lost quite a bit, with the median loss being $960.

Vishing vs. phishing vs. smishing: What’s the difference?

Phishing is the granddaddy of them all, and CSO has a complete explainer with all the details, but in essence it involves sending targeted email messages to trick recipients. “Phish” is pronounced just like it’s spelled, which is to say like the word “fish” — the analogy is of an angler throwing a baited hook out there (the phishing email) and hoping you bite. The term arose in the mid-1990s among hackers aiming to trick AOL users into giving up their login information. The “ph” is part of a tradition of whimsical hacker spelling, and was probably influenced by the term “phreaking,” short for “phone phreaking,” an early form of hacking that involved playing sound tones into telephone handsets to get free phone calls.

Volume 0% 

Vishing is, essentially, phishing via phone calls. Just as phishing is considered a subset of spam, so vishing is an outgrowth of VoIP spam, also known as spam over telephony, or SPIT. The term “vishing” itself has been around since the late ’00s.

“Smishing” is a similar type of attack that uses text messages instead of emails or voice calls; the word is a portmanteau of “SMS” and “phishing.” For more on smishing, check out our explainer on the subject.

Vishing techniques

Almost all vishing attacks have a few things in common. The phone calls are initially placed via voice over IP (VoIP) services, which makes them easier for the vishers to automate some or all of the process and more difficult for victims or law enforcement to trace. And the attackers’ ultimate goal is to profit from you in some way — either by harvesting bank account information or other personal details they can use to access your bank accounts, or by tricking you into paying them directly…