An individual who shares their OTP on a call to revert an incorrect credit card transaction, only to learn that their bank account was wiped out. That employee who transferred money to a specific bank account, on the instructions his “CEO” gave him over the phone. These are just two examples of vishing, a social engineering attack that rides on the legitimacy people associate with voice calls. People and businesses fall prey to such attacks all the time – even those who are tech-savvy and aware of such attacks.
The 2021 CFCA fraud loss survey reveals that phishing is a 1.62 billion business. The FBI Internet Crime Complaint Center’s (IC3) 2021 Internet Crime Report indicates that phishing, vishing, smishing, and pharming accounted for 323,972 victims, a 34% jump in a year!
Vishing harms individuals and businesses alike because there are always humans sitting at the end of the phone line. Humans have emotions that can be exploited using social engineering techniques. Criminals know just how to do this. To make matters worse, they use VoIP with spoofed caller IDs so their calls cannot be traced, making it virtually impossible for authorities to track them. Most times, a lack of clear laws and jurisdictions makes it difficult for authorities to clamp down on such attacks.
them.
How vishing works
Vishing attacks come in many forms. You might be talking to a human or you might be talking to a robot. There are other more complicated hybrid attacks where a robot initiates calls, after which a human takes over.
Then there are the more terrifying AI-based vishing methods using deep fake technology where criminals can impersonate the voices of people familiar to their targets. In one such instance, criminals defrauded a company of $243,000 by using AI software to impersonate their CEO’s voice. The company’s country head thought he was talking to his parent company’s CEO when asked to transfer money to an account within an hour citing urgency in the matter.
Criminals impersonate government officers, representatives of reputed businesses, or even relatives needing urgent help. They get their targets to share personal/financial information using social engineering tactics that target the victim’s emotions. They do this by creating situations that elicit emotional responses from their targets, such as fear or urgency.
How can businesses and people prevent vishing
Vishing attacks are on the rise with each passing year. One part of the solution is to create awareness in people and businesses. The second is regulations formed and enforced by governments. The third is ensuring that businesses and enterprises implement strong VoIP security practices that can detect, prevent, and stop such attacks.
Currently, awareness training largely focuses on phishing and hardly talks about vishing. There needs to be a concerted effort to create awareness about hybrid attacks involving phishing and vishing. Awareness training must be more scenario-based to ensure that people recognize behavior patterns of criminals that indulge in vishing attacks.
Awareness training largely focuses on phishing and hardly talks about vishing. While financial institutions create awareness about phishing and vishing, there needs to be a concerted effort to create awareness about hybrid attacks involving phishing and vishing. Awareness training must be more scenario-based to ensure that people recognize behavior patterns of criminals that indulge in vishing attacks.
People must be alert when they’re being rushed to perform an operation. Genuine callers from banks and other institutions possess complete records of their accounts while criminals would have managed to procure incomplete information about them or their employers through other means. This means that giving out even small bits of sensitive information can complete the picture and put them in jeopardy.
Though this hierarchy of trust varies in different countries and cultures, its gist is true, globally. Usually, businesses insist on higher trust values even for most transactions. For example, businesses require:
- Formal purchase orders for procurement of material with payments made only after receipt of material.
- Employment of validation agencies for large payments and receipts.
- Emails and phone conversations for additional validation of transactions, along with using specific applications as the main interaction points.
Improved VoIP security & business practices
On the business side: Implement the hierarchy of trust for significant transactions. Use the four-eye principle for all sensitive transactions. Have at least two people validate high-value transactions. Verify the authenticity of calls by calling back institutions using the numbers published on their public interfaces, such as websites or financial statements. Seek a conversation with an employee of the institution. Consult financial auditors or lawyers when financial and legal issues are at play in transactions.
On the VoIP security side: If you are a business, you need to make the security of communication/voice systems a priority. Bolster your VoIP security posture by ensuring that you have systems in place to detect, monitor, and block spoofed calls. Besides protecting you from the risk of financial loss or data loss, this can also ensure improved productivity for your employees and contact center agents.
How can governments prevent vishing
Governments must create and enforce regulations that prevent call spoofing. There are several countries working towards ensuring that call spoofing and vishing attacks are prevented using tactics that nip the problem in the bud.
STIR/SHAKEN is a suite of protocols and procedures intended to combat caller ID spoofing on public telephone networks. STIR, short for Secure Telephony Identity Revisited, has been defined as a series of RFC standards documents by IETF.
Though spoofing is legal in the US and Canada as long it’s not used for commercial gains, the countries have set goals for all telecom carriers to enforce the STIR/SHAKEN protocol to identify all calls and prevent spoofing. Other countries too are exploring policies to safeguard people against spoofing. In the UK, the government is researching alternate methods to prevent spoofed calls. India has made spoofing illegal. Along with banning all websites and applications that support spoofing, India also has laws to jail and fine anyone spoofing calls.
Conclusion
In the past, when business was conducted in person, there was little scope for security scams. People visited banks to conduct their transactions, bankers knew most of their customers personally. Banks used physical cheques that required physical verifications. Hard-wired phone lines were difficult to tap, and you couldn’t steal money by tapping someone’s phone lines. All this changed with the onset of digitization and automation. Today, businesses use VoIP systems that are plugged into their networks. This allows criminals to create situations that persuade their targets to act in ways that might be unthinkable in the physical world.
The stakes are much higher in business. VoIP adoption has grown tremendously, but VoIP security best practices and solutions are yet to catch up. Businesses must actively review their current VoIP security models to detect how vulnerable they are. They need to understand — on an ongoing basis — the kinds of attacks their voice communication systems are facing.
If you need any help understanding how vishing might be impacting your VoIP systems, please get in touch with us at sales@assertion.cloud