Vishing Attacks
When a fraudster uses an internet telephone service (VoIP) and makes the target reveal the sensitive personal/financial information, it is called Vishing, or Voice Phishing. It is a variant of Phishing attack. Fraudsters who do such fraudulent voice calls are called Vishers.
They create fake Caller ID profiles (‘Caller ID spoofing’) which make the phone numbers seem legitimate. The goal of vishing is very simple, either to steal money or identity, or both by instilling fear in individuals.
Also the fraudsters use social engineering tactics, psychological and social methods of manipulating or tricking users. They target the user’s emotions to make them provide information or to perform a specific action through fake calls or vishing attacks.
Ways in which vishing attacks take place
In this technique the fraudster may trick/manipulate the user into revealing sensitive information to commit financial frauds
- By spoofing the caller ID to make it appear to be from trusted source
- By making fake calls and convincing the users on various pretext such as
- Updating KYC
- Linking Aadhar
- Offering free gifts/lottery/prizes
- Customer service executive from bank/gas agency etc.,
- By asking the user to scan the bar/QR code to receive them money
- By getting the users to call the fake customer care numbers updated by them on google.
Few Types of vishing attacks
Type 1: Calling users on some pretext
User might get a call with a message such as:
- Your ATM card has been deactivated. Call back immediately to reset your card.
- Your account has been compromised. Please call this number to reset your password.
When the number suggested is dialed, you hear an automated recording that asks for sensitive information. The users are prompted to disclose card number, PIN, three-digit CVV etc., this data is used by the vishers to carry out illegal transactions from account.
Some types of voice phishing calls are even a hybrid where user will receive a call from an automated system that will then have a real person step in to take over the call.
Be Cautious and Don't trust caller ID - Just because caller ID displays a phone number or name of bank, it doesn't guarantee the call genuine.
Type 2: Impersonating the bank officials
In this case, the target receives a call from someone who says he is from bank. They may tell that there is a problem with account or with a payment from account. To correct the problem, they may ask the banking details. Once the fraudster gathers those details the visher can make an online transaction using their card details. Further they even ask for OTP to commit financial fraud.
Verify the caller details before proceed - Try to verify the details of the caller, don’t panic and jump into actions on the urgency stated by the caller.
Type 3: Request to download apps
The Visher will make a call and ask to download an app in a pretext to resolve an issue. They share a link to download some app. These apps may install malware/trojan to device or give a remote access of phone to the visher.
These apps may also capture keystrokes (while typing), and send them to the fraudster server. These details can be used to carry out transactions to steal money from the account.
Be suspicious of all unknown callers - User should be suspicious of phone calls as when they ask to download apps or seek remote access.
Type 4: Artificial intelligence/ Internet bot-based vishing calls called as deep fake
Voice phishing also targets businesses as well to get employees to provide sensitive information. A fraudster used voice generation software to impersonate officials voice and to transfer the money to a fraudster with the promise that the funds would be reimbursed immediately.
Ask questions and call them back - if someone is telling transfer money or asking for information, tell them will call them back to ensure are dealing with the right person.
Fake calls – Modus Operandi
- A fake phone call impersonating an authorized source/automated response VoIP
- Warning message to the user
- Asking about details
- Ask for OTP/PIN/financial details etc.,
Examples:
Fraudster calling the victim as IT officer
- The fraudsters contact the victim pretending to be calling from the Income Tax Dept. for depositing tax refund in the victim’s account.
- They ask victim for bank account details and gather financial information related cards, expiry data, etc.,
- The fraudster then tells the victim to share OTP sent on mobile for depositing the amount.
- Once the victim shares the OTP the money is deducted from their account.
Be aware of fake/fraudulent emails or calls
Warning signs to identify vishing attacks:
- When the calls have generic greeting, and the caller doesn’t know your name, it’s a warning sign
- Creating urgency for immediate action
- Using fear tactics
- Request for installing Anydesk/ Screen sharing/ third party app to connect to device
- Offering to help and asking for sensitive information like OTP, PIN, CVV etc.,
Dangers
- Financial loss
- Leak and misuse of Personal Identifiable Information (PII)
- Malware attack
- Account Hacking
- Unauthorized access to devices /data
Security Measures
- Never share OTP, PIN, CVV, Debit/Credit card details with anyone.
- Do not respond to any calls asking to confirm or share account/card/bank details that has been “stolen/lost” or encourage to reveal personal information in order to receive a prize/lottery/gifts/enhanced services/ updating KYC etc.,
- Do not call the numbers of service providers randomly found by google search as they can be fake numbers.
- Use the contact numbers available on authorized websites of the institutes/organizations/banks etc., only to contact customer care executives or service providers.
- In case of any incident user should also block the card or freeze the account in case changing the password is not feasible immediately.
- Users should routinely review bank and credit card statements for unexplained charges or inquiries that aren’t initiated by the user.
- Beware of calls asking to share personal information or asking to install any desk on the pretext of helping.
- Contact the bank and report about any untoward incident, in case of an issue.
For more details:
