The Tech Grinch Blog

Caught A Vish

Posted by Autodata on Mar 11, 2020 10:30:13 AM

Advances in modern technology have created a playground for cyber criminals. Despite being invaluable to most of us, technology also presents multiple avenues to defraud individuals. One of these avenues is vishing.

In 2019 the FBI reported that vishing represented 24% of all attacks 1. It has been identified as one of the most successful methods of cyber breach, estimated to total a loss of $46.3 billion a year 2.

What is Vishing exactly? Vishing is essentially a socially-engineered technique 3. The term “vishing” is derived from “voice phishing”  4 and defined as a phishing attack conducted by phone, often targeting users of an internet telephone (VoIP) service 5. Vishing attacks are used to steal information or extort money 3 and can be carried out in a number of ways:

  1. 1)  A call targeting the helpdesk or Customer Service Employees within an organisation; during the call the criminal may pretend to be a customer or tech support in order to gain information 2.
  2. 2)  A call regarding you having won a free prize; to claim this the cybercriminal will tell you that you need to pay a shipping, tax or redemption fee – you are then prompted to reveal your card number or other confidential details over the phone 6.
  3. 3)  A call offering you a direct loan, after you have been searching for loans online; the criminal will ask you to pay an upfront fee to receive the loan 7.
  4. 4)  A text, letter or email from a cybercriminal pretending to be from your bank or fraud-prevention team promoting you to call a specific number. The number provided will redirect you to your bank but give the criminal access to record your call. After hearing your security details, they will have access to your accounts and be able to transfer money out. This is called a “man in the middle” vishing scam 8.

Can ‘vishing’ calls be recognised with caller ID? Not always, as vishing attacks will often spoof legitimate numbers to make you think the call is coming from a trusted source 3. This adds a faked layer of supposed authenticity which is designed to lull the victim into a false sense of security. The Financial Fraud Action UK has found one in twenty-five adults in the UK may have been a victim of vishing and 43% of these victims are over 50, proving anyone can be a victim 9:

  • •  In 2015, a CFO from Fortelus Capital Management, a London Hedge Fund, lost the business $1.2 million through mistakenly thinking a scammer was a bank representative and giving the caller access to their bank accounts 2.
  • •  In 2019, a fake Apple Support scam (appearing on Caller ID as “Apple Inc.”) called users to say their Apple ID or iCloud account information had been compromised 10.
  • •  In 2019 Nikkei, the Financial Times giant, wired £22.5m to a fraudster who contacted an employee of its US subsidiary and pretended to be a management executive to authenticate the fraudulent transfer request 11.
  • •  In 2019, AI-based ‘deep fake’ technology was used to successfully dupe the CEO of a UK-based energy firm into transferring $243,000 to a fraudulent account. The CEO received a call that he believed to be from the Chief Executive of his subsidiary’s German parent company saying that a Hungarian supplier needed to be paid immediately. But once the money was transferred into a Hungarian bank account, it was moved to Mexico and distributed to a number of other locations by the cyber criminals 12.

Often the risk of an attack lies with an end user lacking knowledge of the threat. When Proofpoint asked 1000 end users in the UK what vishing was, 63% responded that they did not know 13. Vishing is a highly successful crime because victims do not have the time to think the situation through during the conversation and often unknowingly reveal information whilst mid-conversation. Bearing this is mind how do we thwart vishing attacks?

We all are often guilty of being too busy to pay attention to detail, but this is where the weakest link exists. A cybercriminal takes advantage of human error and will often use familiar details to lower an individual’s guard and gather the information they need. To prevent this, it is best practice to provide your users with the training necessary for them to identify fraudulent calls and reduce the risk of anyone revealing sensitive information.

A vast majority of vishing attacks are carried out by bots before transferring directly to a call centre manned by the cyber criminal. There are legitimate call registry services you can sign up to that prevent your number from being called. One of them is the TPS, If you naturally get a fair few spam “have you been in an accident” calls without being vished it would also be beneficial to sign up.

Googling an unsaved number is often beneficial as the majority of the time it can bring up a number of websites that collect complaints from individuals who would have also been targeted by a cyber criminal using that number. It is also good practice to not redial numbers and in fact call the correct number for that company or individual directly and double check if the message received is legitimate. That way you prevent interaction with a cyber criminal and can verify the problem.

Training and educating users is advantageous in preventing an attack. If you carry out vishing tests within your organisation you will be able to test your end users’ responses, allowing them to understand what a vishing attack may sound like, providing them the knowledge and tools to prevent a future attack.


If you need to report a suspicious call or any other type of cybercrime you can do so by contacting Action Fraud. If you would like to protect yourself or your business against vishing, please get in touch.

Topics: The Tech Grinch Blog

Blog Posts