Vishing Attacks: The Audio Face of Social Engineering

With the advancement of technology, cyber security threats have also diversified. Social engineering stands out among these threats because attackers target human psychology and there is no need to know code for this. "Vishing", that is, voice phishing attacks, stands out as one of the most deceptive and manipulative methods of social engineering.

What is the Definition of Vishing?

Vishing, derived from the combination of the terms "voice" and "phishing", is the name given to social engineering attacks carried out via telephone. In these types of attacks, frauders often reach their victims under false identities and persuade them to share personal, financial or security-related information.

What is the Purpose of Vishing?

The main purpose of vishing attacks is to get confidential information from the people targeted by fraudsters. This information is collected for direct financial gain, identity theft, or for use in broader fraudulent activities. 

Additionally, another purpose of vishing attacks is to manipulate you into doing something.

Why Do People Vishing?

People who engage in vishing generally aim to achieve financial gain easily and quickly. They seek to make high profits with little effort by exploiting people's sense of trust and vulnerabilities.

What is the Difference Between Vishing, Phishing and Smishing?

Vishing is fraud committed over the phone.

Phishing is an attack that usually occurs via e-mail and involves redirecting to fake websites.

Smishing is fraud attempts made through SMS messages.

All three methods use social engineering tactics, but differ in communication channels and implementation methods.

How do vishing emails avoid detection?

In vishing attacks, frauders often fake caller IDs or use anonymous numbers to avoid detection. They may use the names and terminology of legitimate institutions to avoid suspicion from victims.

Real Life Examples:

Possible vishing attacks you may encounter include:

Bank Fraud: Victims are called by people claiming to be bank tellers. These people request the victim's account number, password or credit card information under the pretext of security check or account verification.

Technical Support Trick: Attackers may call you claiming there is a problem with your computer. In the process of "fixing" the problem, they may install malicious software on your computer or obtain your personal information.

Investment Scams: Frauders who promise high returns by offering investment opportunities may deceive victims in the hope of making quick and easy money. These types of vishing attacks are especially common during times of economic uncertainty.

We would also like to share a real incident that happened. According to the news on the link, a manager working at Centennial Bank, based in the United Arab Emirates, was called by a criminal, whose voice he thought was the manager of a company whose voice he recognized, at the beginning of last year. Claiming that his company was about to make an acquisition, he requested that the bank allow some transfers of $35 million. A lawyer named Martin Zelner was hired to coordinate the procedures, and the bank manager was able to see emails from Zelner in his inbox and confirm what amount of money was required. The bank manager made the transfers, thinking everything looked legitimate.

What are the Signs of Hunting?

Immediate action requests: Vishing fraudsters describe a scenario and suggest some actions that need to be taken "immediately".

Insistence that personal information should be shared immediately: While vishing, attackers insistently try not to hang up the phone and make you think that they need to get the information immediately.

Difficulty verifying the identity of the caller: Vishing attackers cannot provide authentication information. For example, an attacker who says he is calling about a problem in your internet connection will not be able to verify your last bill amount or subscriber number.

What Should You Do If You Experience a Vishing Attack?

• Cease communication immediately and do not give any information to the caller.
• Take note of the details of the call and contact the relevant institution and report the situation.
• Review any suspicious financial transactions with your bank.

Prevention Methods

There are a few basic precautions that can be taken to protect against vishing attacks:

Increase Security Awareness: Be suspicious of incoming calls, especially when they request personal or financial information.

Limit Information Sharing: Never share personal information over the phone, especially if you do not know the caller.

Verify: In case of requests from people claiming to be calling on behalf of institutions, verify the situation by ending the call and calling the official number of the relevant institution yourself.

Use Security Software: Add an additional layer of protection against potential malware by using security software on your phone.

Information and Training: Especially for organizations, it is important to educate employees against vishing and other social engineering tactics.

Conclusion

Vishing attacks have a particularly insidious place among the threats brought by modern technology. The strongest defense against such attacks is to be aware and stay alert to potential dangers. Being prepared for the psychological tactics used by frauders is key to protecting our personal and financial security. Therefore, it is of great importance to be informed about vishing and similar social engineering attacks and to keep this information up to date.