Voice phishing, or vishing, [1] is the use of telephony (often Voice over IP telephony) to conduct phishing attacks.
Landline telephone services have traditionally been trustworthy; terminated in physical locations known to the telephone company, and associated with a bill-payer. Now however, vishing fraudsters often use modern Voice over IP (VoIP) features such as caller ID spoofing and automated systems (IVR) to impede detection by law enforcement agencies. Voice phishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.
Usually, voice phishing attacks are conducted using automated text-to-speech systems that direct a victim to call a number controlled by the attacker, however some use live callers. [1] Posing as an employee of a legitimate body such as the bank, police, telephone or internet provider, the fraudster attempts to obtain personal details and financial information regarding credit card, bank accounts (e.g. the PIN), as well as personal information of the victim. With the received information, the fraudster might be able to access and empty the account or commit identity fraud. Some fraudsters may also try to persuade the victim to transfer money to another bank account or withdraw cash to be given to them directly. [2] Callers also often pose as law enforcement or as an Internal Revenue Service employee. [3] [4] Scammers often target immigrants and the elderly, [5] who are coerced to wire hundreds to thousands of dollars in response to threats of arrest or deportation. [3]
Bank account data is not the only sensitive information being targeted. Fraudsters sometimes also try to obtain security credentials from consumers who use Microsoft or Apple products by spoofing the caller ID of Microsoft or Apple Inc.
Audio deepfakes have been used to commit fraud, by fooling people into thinking they are receiving instructions from a trusted individual. [6]
Common motives include financial reward, anonymity, and fame. [13] Confidential banking information can be utilized to access the victims' assets. Individual credentials can be sold to individuals who would like to hide their identity to conduct certain activities, such as acquiring weapons. [13] This anonymity is perilous and may be difficult to track by law enforcement. Another rationale is that phishers may seek fame among the cyber attack community. [13]
Voice phishing comes in various forms. There are various methods and various operation structures for the different types of phishing. Usually, scammers will employ social engineering to convince victims of a role they are playing and to create a sense of urgency to leverage against the victims.
Voice phishing has unique attributes that separate the attack method from similar alternatives such as email phishing. With the increased reach of mobile phones, phishing allows for the targeting of individuals without working knowledge of email but who possess a phone, such as the elderly. The historical prevalence of call centers that ask for personal and confidential information additionally allows for easier extraction of sensitive information from victims due to the trust many users have while speaking to someone on the phone. Through voice communication, vishing attacks can be personable and therefore more impactful than similar alternatives such as email. The faster response time to an attack attempt due to the increased accessibility to a phone is another unique aspect, in comparison to an email where the victim may take longer time to respond. [14] A phone number is difficult to block and scammers can often simply change phone numbers if a specific number is blocked and often find ways around rules and regulations. Phone companies and governments are constantly seeking new ways to curb false scam calls. [15]
A voice phishing attack may be initiated through different delivery mechanisms. [16] A scammer may directly call a victim and pretend to be a trustworthy person by spoofing their caller ID, appearing on the phone as an official or someone nearby. [16] Scammers may also deliver pre-recorded, threatening messages to victims' voicemail inboxes to coerce victims into taking action. [16] Victims may also receive a text message which requests them to call a specified number and be charged for calling the specific number. [16] Additionally, the victim may receive an email impersonating a bank; The victim then may be coerced into providing private information, such as a PIN, account number, or other authentication credentials in the phone call. [16]
Voice phishing attackers will often employ social engineering to convince victims to give them money and/or access to personal data. [17] Generally, scammers will attempt to create a sense of urgency and/or a fear of authority to use as a leverage against the victims. [16]
Voice phishing attacks can be difficult for victims to identify because legitimate institutions such as banks sometimes ask for sensitive personal information over the phone. [8] Phishing schemes may employ pre-recorded messages of notable, regional banks to make them indistinguishable from legitimate calls.[ citation needed ] Additionally, victims, particularly the elderly, [8] may forget or not know about scammers' ability to modify their caller ID, making them more vulnerable to voice phishing attacks.[ citation needed ]
The US Federal Trade Commission (FTC) suggests several ways for the average consumer to detect phone scams. [22] The FTC warns against making payments using cash, gift cards, and prepaid cards, and asserts that government agencies do not call citizens to discuss personal information such as Social Security numbers. [22] Additionally, potential victims can pay attention to characteristics of the phone call, such as the tone or accent of the caller [8] [28] or the urgency of the phone call [22] to determine whether or not the call is legitimate.
The primary strategy recommended by the FTC to avoid falling victim to voice phishing is to not answer calls from unknown numbers. [9] However, when a scammer utilizes VoIP to spoof their caller ID, or in circumstances where victims do answer calls, other strategies include not pressing buttons when prompted, and not answering any questions asked by a suspicious caller. [9]
On March 31, 2020, in an effort to reduce vishing attacks that utilize caller ID spoofing, the US Federal Communications Commission adopted a set of mandates known as STIR/SHAKEN, a framework intended to be used by phone companies to authenticate caller ID information. [29] All U.S. phone service providers had until June 30, 2021, to comply with the order and integrate STIR/SHAKEN into their infrastructure to lessen the impact of caller ID spoofing. [29]
In some countries, social media is used to call and communicate with the public. On certain social media platforms, government and bank profiles are verified and unverified government and bank profiles would be fake profiles. [30]
The most direct and effective mitigation strategy is training the general public to understand common traits of a voice phishing attack to detect phishing messages. [31] A more technical approach would be the use of software detection methods. Generally, such mechanisms are able to differentiate between phishing calls and honest messages and can be more cheaply implemented than public training. [31]
A straightforward method of phishing detection is the usage of blacklists. Recent research has attempted to make accurate distinctions between legitimate calls and phishing attacks using artificial intelligence and data analysis. [32] To further advance research in the fake audio field, different augmentations and feature designs have been explored. [33] By analyzing and converting phone calls to texts, artificial intelligence mechanisms such as natural language processing can be used to identify if the phone call is a phishing attack. [32]
Specialized systems, such as phone apps, can submit fake data to phishing calls. Additionally, various law enforcement agencies are continually making efforts to discourage scammers from conducting phishing calls by imposing harsher penalties upon attackers. [31] [29]
Between 2012 and 2016, a voice phishing scam ring posed as Internal Revenue Service and immigration employees to more than 50,000 individuals, stealing hundreds of millions of dollars as well as victims' personal information. [5] Alleged co-conspirators from the United States and India threatened vulnerable respondents with "arrest, imprisonment, fines, or deportation." [5] In 2018, 24 defendants were sentenced, with the longest imprisonment being 20 years. [5]
On March 28, 2021, the Federal Communications Commission issued a statement warning Americans of the rising number of phone scams regarding fraudulent COVID-19 products. [34] Voice phishing schemes attempting to sell products which putatively "prevent, treat, mitigate, diagnose or cure" COVID-19 have been monitored by the Food and Drug Administration as well. [35]
Beginning in 2015, a phishing scammer impersonated Hollywood make-up artists and powerful female executives to coerce victims to travel to Indonesia and pay sums of money under the premise that they'll be reimbursed. Using social engineering, the scammer researched the lives of their victims extensively to mine details to make the impersonation more believable. The scammer called victims directly, often multiple times a day and for hours at a time to pressure victims. [36]
The 2015 cyber attack campaign against the Israeli academic Dr. Thamar Eilam Gindin illustrates the use of a vishing attack as a precursor to escalating future attacks with the new information coerced from a victim. After the Iran-expert academic mentioned connections within Iran on Israeli Army Radio, Thamar received a phone call to request an interview with the professor for the Persian BBC. To view the questions ahead of the proposed interview, Thamar was instructed to access a Google Drive document that requested her password for access. By entering her password to access the malicious document, the attacker can use the credentials for further elevated attacks. [37]
In Sweden, Mobile Bank ID is a phone app (launched 2011) that is used to identify a user in internet banking. The user logs in to the bank on a computer, the bank activates the phone app, the user enters a password in the phone and is logged in. In this scam, malicious actors called people claiming to be a bank officer, claimed there was a security problem, and asked the victim to use their Mobile Bank ID app. Fraudsters were then able to log in to the victim's account without the victim providing their password. The fraudster was then able to transfer money from the victim's account. If the victim was a customer of the Swedish bank Nordea, scammers were also able to use the victim's account directly from their phone. In 2018, the app was changed to require users to photograph a QR code on their computer screen. This ensures that the phone and the computer are colocated, which has largely eliminated this type of fraud.
An advance-fee scam is a form of fraud and is a common confidence trick. The scam typically involves promising the victim a significant share of a large sum of money, in return for a small up-front payment, which the fraudster claims will be used to obtain the large sum. If a victim makes the payment, the fraudster either invents a series of further fees for the victim to pay or simply disappears.
Phishing is a form of social engineering and a scam where attackers deceive people into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim navigates the site, and transverses any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Center reporting more incidents of phishing than any other type of cybercrime.
Phone fraud, or more generally communications fraud, is the use of telecommunications products or services with the intention of illegally acquiring money from, or failing to pay, a telecommunication company or its customers.
Internet fraud is a type of cybercrime fraud or deception which makes use of the Internet and could involve hiding of information or providing incorrect information for the purpose of tricking victims out of money, property, and inheritance. Internet fraud is not considered a single, distinctive crime but covers a range of illegal and illicit actions that are committed in cyberspace. It is differentiated from theft since, in this case, the victim voluntarily and knowingly provides the information, money or property to the perpetrator. It is also distinguished by the way it involves temporally and spatially separated offenders.
Email fraud is intentional deception for either personal gain or to damage another individual using email as the vehicle. Almost as soon as email became widely used, it began to be used as a means to defraud people, just as telephony and paper mail were used by previous generations.
A lottery scam is a type of advance-fee fraud which begins with an unexpected email notification, phone call, or mailing explaining that "You have won!" a large sum of money in a lottery. The recipient of the message—the target of the scam—is usually told to keep the notice secret, "due to a mix-up in some of the names and numbers," and to contact a "claims agent." After contacting the agent, the target of the scam will be asked to pay "processing fees" or "transfer charges" so that the winnings can be distributed, but will never receive any lottery payment. Many email lottery scams use the names of legitimate lottery organizations or other legitimate corporations/companies, but this does not mean the legitimate organizations are in any way involved with the scams.
A spoofed URL involves one website masquerading as another, often leveraging vulnerabilities in web browser technology to facilitate a malicious computer attack. These attacks are particularly effective against computers that lack up-to-date security patches. Alternatively, some spoofed URLs are crafted for satirical purposes.
Email spoofing is the creation of email messages with a forged sender address. The term applies to email purporting to be from an address which is not actually the sender's; mail sent in reply to that address may bounce or be delivered to an unrelated party whose identity has been faked. Disposable email address or "masked" email is a different topic, providing a masked email address that is not the user's normal address, which is not disclosed, but forwards mail sent to it to the user's real address.
Caller ID spoofing is a spoofing attack which causes the telephone network's Caller ID to indicate to the receiver of a call that the originator of the call is a station other than the true originating station. This can lead to a display showing a phone number different from that of the telephone from which the call was placed.
A robocall is a phone call that uses a computerized autodialer to deliver a pre-recorded message, as if from a robot. Robocalls are often associated with political and telemarketing phone campaigns, but can also be used for public service, emergency announcements, or scammers. Multiple businesses and telemarketing companies use auto-dialing software to deliver prerecorded messages to millions of users. Some robocalls use personalized audio messages to simulate an actual personal phone call. The service is also viewed as prone to association with scams.
Telemarketing fraud is fraudulent selling conducted over the telephone. The term is also used for telephone fraud not involving selling.
An IRS impersonation scam is a class of telecommunications fraud and scam which targets American taxpayers by masquerading as Internal Revenue Service (IRS) collection officers. The scammers operate by placing disturbing official-sounding calls to unsuspecting citizens, threatening them with arrest and frozen assets if thousands of dollars are not paid immediately, usually via gift cards or money orders. According to the IRS, over 1,029,601 Americans have received threatening calls, and $29,100,604 has been reported lost to these call scams as of March 2016. The problem has been assigned to the Treasury Inspector General for Tax Administration. Studies highlight that most victims of these scams are aged 20-29 years old and women are more affected than men. One way to decrease the risks of an individual falling victim to IRS impersonation scams is through awareness programs.
AnyDesk is a remote desktop application distributed by AnyDesk Software GmbH. The proprietary software program provides platform-independent remote access to personal computers and other devices running the host application. It offers remote control, file transfer, and VPN functionality. AnyDesk is often used in technical support scams and other remote access scams.
VoIP vulnerabilities are weaknesses in the VoIP protocol or its implementations that expose users to privacy violations and other problems. VoIP is a group of technologies that enable voice calls online. VoIP contains similar vulnerabilities to those of other internet use.
A SIM swap scam is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message (SMS) or call placed to a mobile telephone.
STIR/SHAKEN, or SHAKEN/STIR, is a suite of protocols and procedures intended to combat caller ID spoofing on public telephone networks. Caller ID spoofing is used by robocallers to mask their identity or to make it appear the call is from a legitimate source, often a nearby phone number with the same area code and exchange, or from well-known agencies like the Internal Revenue Service or Ontario Provincial Police. This sort of spoofing is common for calls originating from voice-over-IP (VoIP) systems, which can be located anywhere in the world.
Kitboga is the Internet alias of an American Twitch streamer and YouTuber whose content primarily focuses on scam baiting against phone fraud. His channel has over one million followers on Twitch, and his YouTube channel has over three million subscribers.
An SSA impersonation scam, or SSA scam, is a class of telecommunications scam targeting citizens of the United States by impersonating Social Security Administration employees. SSA scams are typically initiated through pre-recorded messages, or robocalls, that use social engineering to make victims panic and ensure they follow instructions given to them. In 2018, over 35,000 instances of SSA scam robocalls were reported to the Better Business Bureau with over $10 million lost by victims. Approximately 47% of Americans were subject to an SSA scam robocall during a three-month period between mid- to late 2020, and 21% of seniors were subject to at least three robocalls during the same time period.
COVID-19 scams are scams whose cover story primarily relies on the existence of the COVID-19 pandemic. They have been reported in multiple countries, primarily the United States, Canada and the United Kingdom.
ispoof.cc was a website used by many people to make unauthorised phone calls while displaying a caller ID falsely indicating that they were legitimate callers. In 2021 and 2022 it was part of an investigation by numerous law enforcement agencies into frauds enabled by this caller ID spoofing. It was shut down in November 2022 as the result of Operation Elaborate, a multi-agency investigation led by the Metropolitan Police and supported by Netherlands Police, Europol and Eurojust. As of 2022, it is the largest fraud investigation that has ever taken place in the United Kingdom.
{{cite web}}
: |last=
has generic name (help)