publishing date icon
May 21, 2021
read time icon
5 min. read

5 tips to stay vishing-proof

Author image
Milla Viitala, Nikolas Kunnas
Junior Threat Analysts
facebook iconLinkedin iconTwitter icon
Post hero image

Reach out and scam someone

Vishing scams were still relatively uncommon at the outset of 2021. But now? We are seeing them on a weekly basis. Read how vishing phone scams have changed, why they’re dangerous, and learn five tips to stay off the hook!

What is Vishing and why is it so dangerous?

Vishing, or voice phishing, is a form of phishing that happens by phone. In vishing, the scammer uses social engineering to get the victim to share their personal information over a phone call. The scammer may, for example, pretend to represent a legitimate company to establish trust with a victim. The scammer then manipulates the victim into sharing sensitive personal information such as their name, credit card details, social security number, and credentials.

Vishing can happen in all sorts of ways. Traditionally, the attacker makes first contact by directly calling the victim's number and impersonates a bank representative, or someone claiming the victim has won a prize, and so forth. But the vishing attempts we at Hoxhunt have been seeing lately look a bit different.

In these recent vishing attacks, the threat actor first uses email to hook the victim. The email is crafted with a sense of urgency that the victim must call a phone number provided in the email body, lest an undesired payment occur. Once the victim calls the number, the vishing begins.

Below are 3 different vishing email examples, all of which follow the same pattern:

  • User receives an order/purchase confirmation via email
  • User realizes they haven’t ordered anything
  • The only contact information found in the email is the helpdesk number
  • User calls the helpdesk number (which is actually a vishing number)
  • Vishing begins

1. Medical Reminder Service automatic subscription

The scammer is sending a message claiming that a free trial will soon end, whereupon $89.99 will be automatically charged to the victim’s credit card. This hypothetical subscription may only be canceled by calling the number in the email. That’s an immediate red flag. But victims are pushed to believe their only option is to call the number.

Medical Reminder Services send regular reminders to users to take their medicine on time. In this particular case, no company or representative is actually mentioned by name; only a generic “Medical Reminder Service” signature is provided. This is a big red flag.

2. Fake Amazon order confirmation

This one is impersonating Amazon - the attacker even bought a domain called “amazn-primeshoppingus.co” from which the email has been sent. This tactic is meant to make the email seem more authentic. However, closer scrutiny reveals several mistakes in the text that Amazon would never make. For instance, the ‘A' in amazon is written in lowercase, and there’s a space before the comma.

Once again, only a fake help desk number is provided for contact info. How can you be sure it’s fake? A good way to indentify vishing numbers is to Google them. Here, for instance, is what comes up after googling the above fake Amazon number:

3. Geek Squad subscription campaign

 

Geek Squad is a multinational consumer electronics company that has unfortunately been impersonated in a large vishing campaign as well. This particular campaign, also leveraging automated subscriptions, has been widely distributed. When googling the vishing number, loads of people pop up reporting the scam. Impersonating a well known company is a popular phishing technique because it elevates the feeling, and the potential, of legitimacy. The victim might actually be using the impersonated company’s services, after all.

So, what happens when victims of a vishing scam call the fake help desk number? Often, the scammer asks for the victim's credit card details to supposedly check if the card has been charged in the event of a mistaken order placement. They might also demand the victim’s social security number or other personal details while pretending to clear up the mistake.

What makes vishing dangerous?

  • Enables a more personal interaction with the victim
  • Easier to manipulate victims over the phone
  • Scammer can react to your tone of voice
  • Many of the scammers are social engineering professionals, so they know exactly what words to use to gain the victim’s trust
  • Many times the calls are made from VoIP (voice over IP) services, so they are harder to trace

Key takeaways

  • These vishing “hooks” are a true security risk for both individuals and organizations
  • The traditional vishing model of direct cold calls by the threat actor has changed
  • In these new and more sophisticated attacks, the victim is coerced to call the scammer
  • This is a clever way to cast a wider net; email blasts let attackers just wait for whoever takes the bait
  • The phishing hook is a feeling of panic over a mistaken credit card billing
  • This prompts the victim to react hastily, call the number.. and fall into a vishing trap

After receiving a suspicious email directing you to call a random number, take a deep breath and examine it thoroughly for these five phishy telltales.

  1. Look for spelling errors and grammar mistakes
  2. Google the number
  3. If the email is from a well known company like Amazon, google their website and contact them through the contact information found on the site: don’t click any links or call any numbers in the email!
  4. Don’t give out your personal information through the phone EVER! No legitimate companies ask for your whole credit card details etc. on the phone
  5. Check your bank account to see if you have been charged (if you see suspicious activity, contact your bank!)

Stay tuned! We’re planning to reach out and touch these vishing scammers ourselves with a call from within a threat-controlled safe environment!

Hoxhunt response

The Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button.

Subscribe to our newsletter