Threat actors are continually adapting their tactics, and a new alarming trend is the shift from...
Vishing. You may have heard the term … but do really know everything you need to know about it? Vishing (voice phishing) continues to escalate, and now poses a real threat to many businesses. This series of articles will demystify vishing, start today with clarity on what vishing really is … and some of the secret ways that it costs your business money.
In this blog, we will discuss:
- The Anatomy of a Vishing Attack
- Two Key Ways that Vishing Harms Business Today
- The Evolution of Vishing: The Role of AI and Beyond
The Anatomy Of A Vishing Attack
Vishing, or voice phishing, is a deceptive practice where criminals exploit voice communication to misrepresent their identity, with the goal of extracting information that can be used to then scam or defraud that person or their company. Unlike phishing, which primarily uses emails, or smishing, which utilizes text messages, vishing leverages voice calls as its primary tool.
Here are some common vishing scenarios along with examples:
- Impersonation of Bank Officials: Criminals pose as bank officials to solicit sensitive financial information. For instance, a scammer might call claiming to be a bank representative. They may say that there’s been suspicious activity on your account … and then, of course request your account details to "verify your identity” (more like steal your identity!).
- Tech Support Scams: Scammers pretend to be tech support agents from reputable companies to gain access to the victim's computer. They might claim they've detected malware on your computer and offer to fix it for a fee. They then get a password or live login on your computer, where they can insert malware.
- Impersonation of Government Authorities: Criminals impersonate government officials to demand payments for fake fines or taxes. For instance, a scammer might call claiming to be from the IRS, demanding immediate payment for alleged unpaid taxes.
Examples that compare Vishing, Phishing, and Smishing:
Phishing:
- Invoice scam emails requesting payment for a nonexistent service.
- Email from a fake bank requesting login details.
Smishing:
- Text from a fake charity asking for donations.
- Text message claiming you've won a prize, urging you to click a link.
Vishing:
- Phone call from your (fake) bank to verify your identity
- Call from the “local police” about your unpaid fines
The Key Ways Vishing Harms Businesses Today
Often, companies are aware of how individuals are vished, but haven’t been informed of the issues with corporate vishing. There are currently two main angles of attack on a company that use vishing
- Employee Exploitation: Vishing attacks can trick employees into divulging sensitive company information or making unauthorized transactions. The immediate financial loss may be bad, but it’s often just the tip of the iceberg, once employees expose critical business data to malicious actors.
- Brand Impersonation: Often, criminals use the trust that a brand has built over years or decades. These criminals impersonate brands in order to leverage the customer’s trust into scamming them out of information. Ultimately, though, even if a company is not directly involved in this scam, it tarnishes the brand's reputation and erodes customer trust. This has long-term negative effects on customer loyalty and business revenue.
As but one example of employee exploitation, in a notorious vishing incident, criminals impersonated a CEO's voice using AI to request a transfer of €220,000. The funds were transferred to a Hungarian supplier's bank account, as instructed, only to discover later that it was a scam. This case underscores the sophistication of vishing attacks and the potential financial and reputational damage they can cause. It also should be extra frightening, as this happened nearly 4 years ago, and technology has advanced tremendously since then.
The Evolution Of Vishing: The Role Of AI And Beyond
The advent of AI has escalated the vishing threat dramatically. Criminals now employ sophisticated AI technologies – like the one above –– to create convincing fake calls. And where in earlier years this was quite difficult, it is quite simple now.
What happens when a voice that sounds like the CFO calls the Accounting Department, asking for an immediate transfer? Would most companies expect that it would be an AI version of the CFO’s voice, harvested from a recent video interview he had done? And these are often so good, it’s almost indistinguishable from a genuine request. The rise of chatbots, deepfakes, and voice clones has made distinguishing between real and fake calls increasingly challenging. Moreover, as AI technology continues to evolve, the sophistication of vishing attacks is certain to grow. Consider but two growing methods to scam others:
- AI-Driven Voice Cloning: Advanced AI algorithms can now mimic voices with astonishing accuracy, enabling scammers to impersonate anyone, including company executives. These are sometimes also called deepfakes, and the technology involved can create incredibly realistic-sounding voices in realtime, making vishing attacks more convincing.
- Automated Vishing Attacks: Automation allows scammers to carry out vishing attacks on a large scale, targeting numerous victims simultaneously with minimal effort.
Consider what happens when — if it’s not already happening — the voice-cloning technology meets automation powered by a chatbot similar to ChatGPT … where the robot knows the scam, all the best responses, and can make thousands of calls per hour without any human input. This is the immediate future of vishing.
It should be clear, the evolution of vishing — particularly as it’s fueled by AI advancements — is a very sophisticated tool for fraud. It can affect your business directly, by extracting sensitive data from your business, or indirectly, by fooling your customers … and making them take out their pain on you. Awareness, vigilance, and technological solutions are crucial in combating this menace.
Stay tuned for our next blog, "The Ultimate Vishing Guide for Business, Part 2: Shielding Your Employees," to learn how to protect your workforce from vishing attacks. For more information on securing your business communication, contact YouMailPS — the industry leaders in detecting and protecting brands from fraudulent voice communications.
