The Authentication Reference

Your go-to place for authentication information

Successful Authentication with Incognia

The Authentication Reference

What is a Vishing Attack? [Definition, examples and protection tips]

Lately, the question “what is vishing?” is becoming increasingly more popular. A vishing attack is a type of scam in which criminals contact a potential victim over the phone pretending to be a company and try to convince them to share personal information. A call is not always made right away; instead, fraudsters often combine different “baiting” techniques to instigate curiosity, fear, or to gain the trust of those on the other end of the line. 

The word vishing comes from a mashup of “voice phishing” -- that is, a phishing attack using voice. This does not mean that communication is made exclusively through phone calls. It is common for this type of attack to start with sending an SMS, for example. For this reason, many people confuse smishing with vishing. Although the goals are the same, there are some differences in the techniques used in each. 

Differences between phishing, vishing and smishing attacks

The phishing term first came to be used around 1990 to describe activities that fraudsters used as a "bait" to catch their victims on the Internet. Even today, the word is associated with social engineering-based scams -- that is, scams that try to manipulate people into falling into a trap. 

With the evolution of cybercrime, the terms “smishing” and “vishing” have emerged, which can be classified as types of phishing. In the case of smishing, criminals send text messages to try to convince the victim to click on a malicious link or reply to the message by providing their details. The entire process is limited to exchanging text. 

In vishing attacks, there is a voice contact at some point during the fraud attempt. The initial sending of an SMS only serves as bait to confirm that the number really belongs to someone or simply to induce a potential victim to call a number so the criminals can follow up with the attack. 

Common vishing attack examples

To access the phone numbers of victims, the fraudsters use different methods. One is getting sensitive information through mega data leakages, usually available on the dark web, or even through social networks and job sites. In these cases, it is even easier to gain people's trust since the criminal will have at hand data such as the victim's name, title and company. 

Another common technique is sending text messages to random numbers. The messages usually ask the person to call the “company” or even offer the option to reply to something, such as “send 'STOP' if you no longer want to receive this message”. Once the person responds, the criminal gets confirmation that the number is being used by someone and is therefore a potential target.

Vishing attacks examples include:

  • Alert from a financial institution

The fraudster calls the victim saying they are from their bank or another institution and informs them that there is a problem with their account or credit card. The false alert may also arrive by SMS initially, asking the person to call a number to resolve the issue.

  • Offers investments and other financial solutions

Another tactic used in vishing scams are links offering the opportunity to pay off debts to a value below the original amount or to make investments with high returns promises. These “offers” are usually for a limited time, so the person must act immediately. 

  • Social Security Number or Health Plan Request

In some cases, fraudsters try to convince their targets to share personal information such as their health plan number so that they can benefit from services. Scams in which criminals impersonate government agents claiming that the victim's social security number has been suspended and ask her to confirm the number so it can be reactivated are also common. 

  • Billing by a technical support service

This type of attack can occur by sending a link that opens a page informing you that a problem has been detected with your computer and that you need to call a number to receive technical support. Another common technique is for the criminal to call the victim directly to alert the victim that there is a device failure and that contact is being made to help the victim. At the end of the service, a fee is charged for repairing a problem that did not exist initially.

How to prevent vishing attacks

The first step in protecting against vishing attacks is to be aware of how they occur. Thus, any unsolicited contact should be viewed with skepticism. One tip is to be especially wary of calls with special offers and especially the request for personal information.

When receiving any type of message stating that a phone number must be contacted, the best thing to do is to research first if the phone really corresponds to a legitimate company or institution. If the contact is made by phone right away, it is recommended to hang up, especially if the tone of the conversation has a sense of urgency, and check official channels to confirm that the communication was, in fact, made by a trusted agent. Also, any type of offer that may seem too good to be true, has to be putten under suspicion.

Upon identifying that this is a scam, the first actions that must be taken are to report and block the number. If the victim has already provided their financial information, it is essential to contact the bank and other institutions as soon as possible to inform them of what happened and request the change of the account number, cancellation of the card and blocking of any future fraudulent activities. 

Vishing calls, smishing and phishing are all types of social engineering attacks with the intent of gaining personally identifiable information that will enable fraudsters to gain access to a user’s account. Protecting against account takeover is getting more challenging as fraudsters adopt increasingly sophisticated techniques to trick users into sharing account information. Incognia helps companies offering mobile apps to protect against account takeover by silently, in the background, assessing device and location behavior to detect anomalies that indicate high-risk logins that require additional authentication steps.