Voice phishing explained

Voice phishing, or vishing,[1] is the use of telephony (often Voice over IP telephony) to conduct phishing attacks.

Landline telephone services have traditionally been trustworthy; terminated in physical locations known to the telephone company, and associated with a bill-payer. Now however, vishing fraudsters often use modern Voice over IP (VoIP) features such as caller ID spoofing and automated systems (IVR) to impede detection by law enforcement agencies. Voice phishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.

Usually, voice phishing attacks are conducted using automated text-to-speech systems that direct a victim to call a number controlled by the attacker, however some use live callers. Posing as an employee of a legitimate body such as the bank, police, telephone or internet provider, the fraudster attempts to obtain personal details and financial information regarding credit card, bank accounts (e.g. the PIN), as well as personal information of the victim. With the received information, the fraudster might be able to access and empty the account or commit identity fraud. Some fraudsters may also try to persuade the victim to transfer money to another bank account or withdraw cash to be given to them directly.[2] Callers also often pose as law enforcement or as an Internal Revenue Service employee.[3] [4] Scammers often target immigrants and the elderly,[5] who are coerced to wire hundreds to thousands of dollars in response to threats of arrest or deportation.

Bank account data is not the only sensitive information being targeted. Fraudsters sometimes also try to obtain security credentials from consumers who use Microsoft or Apple products by spoofing the caller ID of Microsoft or Apple Inc.

Audio deepfakes have been used to commit fraud, by fooling people into thinking they are receiving instructions from a trusted individual.[6]

Terminology

Motives

Common motives include financial reward, anonymity, and fame.[13] Confidential banking information can be utilized to access the victims' assets. Individual credentials can be sold to individuals who would like to hide their identity to conduct certain activities, such as acquiring weapons. This anonymity is perilous and may be difficult to track by law enforcement. Another rationale is that phishers may seek fame among the cyber attack community.

Operation

Voice phishing comes in various forms. There are various methods and various operation structures for the different types of phishing. Usually, scammers will employ social engineering to convince victims of a role they are playing and to create a sense of urgency to leverage against the victims.

Voice phishing has unique attributes that separate the attack method from similar alternatives such as email phishing. With the increased reach of mobile phones, phishing allows for the targeting of individuals without working knowledge of email but who possess a phone, such as the elderly. The historical prevalence of call centers that ask for personal and confidential information additionally allows for easier extraction of sensitive information from victims due to the trust many users have while speaking to someone on the phone. Through voice communication, vishing attacks can be personable and therefore more impactful than similar alternatives such as email. The faster response time to an attack attempt due to the increased accessibility to a phone is another unique aspect, in comparison to an email where the victim may take longer time to respond.[14] A phone number is difficult to block and scammers can often simply change phone numbers if a specific number is blocked and often find ways around rules and regulations. Phone companies and governments are constantly seeking new ways to curb false scam calls.[15]

Initiation mechanisms

A voice phishing attack may be initiated through different delivery mechanisms.[16]   A scammer may directly call a victim and pretend to be a trustworthy person by spoofing their caller ID, appearing on the phone as an official or someone nearby. Scammers may also deliver pre-recorded, threatening messages to victims' voicemail inboxes to coerce victims into taking action. Victims may also receive a text message which requests them to call a specified number and be charged for calling the specific number. Additionally, the victim may receive an email impersonating a bank; The victim then may be coerced into providing private information, such as a PIN, account number, or other authentication credentials in the phone call.

Common methods and scams

Voice phishing attackers will often employ social engineering to convince victims to give them money and/or access to personal data.[17] Generally, scammers will attempt to create a sense of urgency and/or a fear of authority to use as a leverage against the victims.

Detection and prevention

Voice phishing attacks can be difficult for victims to identify because legitimate institutions such as banks sometimes ask for sensitive personal information over the phone.[8] Phishing schemes may employ pre-recorded messages of notable, regional banks to make them indistinguishable from legitimate calls. Additionally, victims, particularly the elderly, may forget or not know about scammers' ability to modify their caller ID, making them more vulnerable to voice phishing attacks.

The US Federal Trade Commission (FTC) suggests several ways for the average consumer to detect phone scams.[22] The FTC warns against making payments using cash, gift cards, and prepaid cards, and asserts that government agencies do not call citizens to discuss personal information such as Social Security numbers. Additionally, potential victims can pay attention to characteristics of the phone call, such as the tone or accent of the caller[28] or the urgency of the phone call to determine whether or not the call is legitimate.

The primary strategy recommended by the FTC to avoid falling victim to voice phishing is to not answer calls from unknown numbers.[9] However, when a scammer utilizes VoIP to spoof their caller ID, or in circumstances where victims do answer calls, other strategies include not pressing buttons when prompted, and not answering any questions asked by a suspicious caller.

On March 31, 2020, in an effort to reduce vishing attacks that utilize caller ID spoofing, the US Federal Communications Commission adopted a set of mandates known as STIR/SHAKEN, a framework intended to be used by phone companies to authenticate caller ID information.[29] All U.S. phone service providers had until June 30, 2021, to comply with the order and integrate STIR/SHAKEN into their infrastructure to lessen the impact of caller ID spoofing.

In some countries, social media is used to call and communicate with the public. On certain social media platforms, government and bank profiles are verified and unverified government and bank profiles would be fake profiles.[30]

Solutions

The most direct and effective mitigation strategy is training the general public to understand common traits of a voice phishing attack to detect phishing messages.[31] A more technical approach would be the use of software detection methods. Generally, such mechanisms are able to differentiate between phishing calls and honest messages and can be more cheaply implemented than public training.

Detection of phishing

A straightforward method of phishing detection is the usage of blacklists. Recent research has attempted to make accurate distinctions between legitimate calls and phishing attacks using artificial intelligence and data analysis.[32] To further advance research in the fake audio field, different augmentations and feature designs have been explored.[33] By analyzing and converting phone calls to texts, artificial intelligence mechanisms such as natural language processing can be used to identify if the phone call is a phishing attack.

Offensive approaches

Specialized systems, such as phone apps, can submit fake data to phishing calls. Additionally, various law enforcement agencies are continually making efforts to discourage scammers from conducting phishing calls by imposing harsher penalties upon attackers.

Notable examples

Between 2012 and 2016, a voice phishing scam ring posed as Internal Revenue Service and immigration employees to more than 50,000 individuals, stealing hundreds of millions of dollars as well as victims' personal information.[5] Alleged co-conspirators from the United States and India threatened vulnerable respondents with "arrest, imprisonment, fines, or deportation."[5] In 2018, 24 defendants were sentenced, with the longest imprisonment being 20 years.[5]

COVID-19 Scams

On March 28, 2021, the Federal Communications Commission issued a statement warning Americans of the rising number of phone scams regarding fraudulent COVID-19 products.[34] Voice phishing schemes attempting to sell products which putatively "prevent, treat, mitigate, diagnose or cure" COVID-19 have been monitored by the Food and Drug Administration as well.[35]

Beginning in 2015, a phishing scammer impersonated Hollywood make-up artists and powerful female executives to coerce victims to travel to Indonesia and pay sums of money under the premise that they'll be reimbursed. Using social engineering, the scammer researched the lives of their victims extensively to mine details to make the impersonation more believable. The scammer called victims directly, often multiple times a day and for hours at a time to pressure victims.[36]

Thamar Reservoir Cyberattack

The 2015 cyber attack campaign against the Israeli academic Dr. Thamar Eilam Gindin illustrates the use of a vishing attack as a precursor to escalating future attacks with the new information coerced from a victim. After the Iran-expert academic mentioned connections within Iran on Israeli Army Radio, Thamar received a phone call to request an interview with the professor for the Persian BBC. To view the questions ahead of the proposed interview, Thamar was instructed to access a Google Drive document that requested her password for access. By entering her password to access the malicious document, the attacker can use the credentials for further elevated attacks.[37]

Mobile Bank ID Scam

In Sweden, Mobile Bank ID is a phone app (launched 2011) that is used to identify a user in internet banking. The user logs in to the bank on a computer, the bank activates the phone app, the user enters a password in the phone and is logged in. In this scam, malicious actors called people claiming to be a bank officer, claimed there was a security problem, and asked the victim to use their Mobile Bank ID app. Fraudsters were then able to log in to the victim's account without the victim providing their password. The fraudster was then able to transfer money from the victim's account. If the victim was a customer of the Swedish bank Nordea, scammers were also able to use the victim's account directly from their phone. In 2018, the app was changed to require users to photograph a QR code on their computer screen. This ensures that the phone and the computer are colocated, which has largely eliminated this type of fraud.

See also

References

  1. Book: 10.1145/1456625.1456635 . Vishing . Proceedings of the 5th annual conference on Information security curriculum development - InfoSecCD '08 . 2008 . Griffin . Slade E. . Rackley . Casey C. . 33 . 9781605583334 .
  2. Web site: Press Association. 2013-08-28. 'Vishing' scams net fraudsters £7m in one year. 2018-09-04. The Guardian. en.
  3. News: Olson. Elizabeth. 2018-12-07. When Answering the Phone Exposes You to Fraud. en-US. The New York Times. 2021-04-08. 0362-4331.
  4. Web site: Chinese Robocalls Bombarding The U.S. Are Part Of An International Phone Scam. 2021-04-08. NPR.org. en.
  5. News: Hauser. Christine. 2018-07-23. U.S. Breaks Up Vast I.R.S. Phone Scam. en-US. The New York Times. 2021-04-06. 0362-4331.
  6. Web site: Statt. Nick. 2019-09-05. Thieves are now using AI deepfakes to trick companies into sending them money. 2021-04-08. The Verge. en.
  7. Steinmetz . Kevin F. . Holt . Thomas J. . 2022-08-05 . Falling for Social Engineering: A Qualitative Analysis of Social Engineering Policy Recommendations . Social Science Computer Review . en . 089443932211175 . 10.1177/08944393221117501 . 251420893 . 0894-4393.
  8. Song. Jaeseung. Kim. Hyoungshick. Gkelias. Athanasios. 2014-10-01. iVisher: Real-Time Detection of Caller ID Spoofing. ETRI Journal. en. 36. 5. 865–875. 10.4218/etrij.14.0113.0798. 16686917 . 1225-6463.
  9. Web site: 2011-05-04. Caller ID Spoofing. 2021-04-06. Federal Communications Commission. en.
  10. Web site: The AT&T Business Editorial Team. What is VoIP and how does it work?.
  11. Web site: 2010-11-18. Voice Over Internet Protocol (VoIP). 2021-04-08. Federal Communications Commission. en.
  12. Web site: Federal Communications Commission. REPORT AND ORDER AND FURTHER NOTICE OF PROPOSED RULEMAKING.
  13. Khonji. Mahmoud. Iraqi. Youssef. Jones. Andrew. Phishing Detection: A Literature Survey. IEEE Communications Surveys & Tutorials. 15.
  14. Fowler. Thomas. Leigh. John. Phishing, Pharming, and Vishing: Fraud in the Internet Age. The Telecommunications Review. 10.1.1.136.3368.
  15. News: 2021-03-14. Phone scammers: 'Give me £1,000 to stop calling you'. en-GB. BBC News. 2021-04-08.
  16. Web site: IBM Global Technology Services. The vishing guide..
  17. Choi. Kwan. Lee. Ju-lak. Chun. Yong-tae. 2017-05-01. Voice phishing fraud and its modus operandi. Security Journal. en. 30. 2. 454–466. 10.1057/sj.2014.49. 154080668 . 0955-1662.
  18. Web site: 2019-06-05. What You Need to Know About Romance Scams. 2021-04-08. Consumer Information. en.
  19. Web site: 新竹市警察局. 2017-01-09. 常見詐騙手法分析-新竹市政府. 2021-04-08. 新竹市警察局.
  20. Web site: 2019-02-15. How to Spot, Avoid and Report Tech Support Scams. 2021-04-08. Consumer Information. en.
  21. Web site: 2018-10-05. Tech Support Scams. 2021-04-08. Federal Trade Commission. en.
  22. Web site: 2019-09-25. Phone Scams. 2021-04-08. Consumer Information. en.
  23. Web site: Charity and Disaster Fraud. 2021-04-08. Federal Bureau of Investigation. en-us.
  24. Web site: 2011-02-11. Watch out for Auto Warranty Scams. 2021-04-08. Federal Communications Commission. en.
  25. Web site: Giorgianni. Anthony. Don't Fall for the Car Warranty Scam. 2021-04-08. Consumer Reports. en-US.
  26. Web site: FBI Warns Public of 'Virtual Kidnapping' Extortion Calls — FBI. 2021-04-08. www.fbi.gov. en-us.
  27. Web site: 刑事警察大隊. 2015-11-26. 遇到假綁架詐騙別心慌 冷靜求證不受騙. 2021-04-08. 刑事警察大隊.
  28. Web site: Shamah. David. Anatomy of an Iranian hack attack: How an Israeli professor got stung. 2021-04-08. www.timesofisrael.com. en-US.
  29. Web site: Federal Communications Commission. REPORT AND ORDER AND FURTHER NOTICE OF PROPOSED RULEMAKING.
  30. Web site: 內政部警政署 165 全民防騙網. 2021-04-08. 165.npa.gov.tw.
  31. Khonji. Mahmoud. Iraqi. Youssef. Jones. Andrew. Phishing Detection: A Literature Survey. IEEE Communications Surveys & Tutorials. 15.
  32. Kim. Jeong-Wook. Hong. Gi-Wan. Chang. Hangbae. Voice Recognition and Document Classification-Based Data Analysis for Voice Phishing Detection. Human-centric Computing and Information Sciences.
  33. Cohen . Ariel . Rimon . Inbal . Aflalo . Eran . Permuter . Haim H. . A study on data augmentation in voice anti-spoofing . Speech Communication . June 2022 . 141 . 56–67 . 10.1016/j.specom.2022.04.005. 2110.10491 . 239050551 .
  34. Web site: 2020-07-17. COVID-19 Robocall Scams. 2021-04-06. Federal Communications Commission. en.
  35. Affairs. Office of Regulatory. 2021-04-02. Fraudulent Coronavirus Disease 2019 (COVID-19) Products. FDA. en.
  36. Web site: 2018-07-11. Hunting the Con Queen of Hollywood: Who's the "Crazy Evil Genius" Behind a Global Racket?. 2021-04-06. The Hollywood Reporter. en.
  37. Web site: Shamah. David. Anatomy of an Iranian hack attack: How an Israeli professor got stung. 2021-04-06. www.timesofisrael.com. en-US.

External links