Raul Velez is currently Director of Engineering and Professional Services at Onistec.
As technology advances to make the tasks of our daily lives easier, cybercriminals are one step ahead in taking advantage of these conveniences to commit their criminal acts and make them unpunished and victims vulnerable to their attacks. Such is the case of Vishing which is the combination of two words in English, Voice, and Phishing, which translated into Spanish is the impersonation through the telephone.
In these types of attacks, criminals use social engineering to detect potential victims and manipulate human emotions such as fear, compassion, or greed to achieve their goals. Particularly with Vishing, they seek to trick victims into providing their sensitive personal data over the phone. It is generally recognized that this type of attack has a greater degree of effectiveness compared to traditional phishing (emails) since through the call, more direct and personal communication with the victim is achieved and people are more likely to respond openly and sincerely during a conversation and more if the criminal manages to create a certain Emotional bond such as that it is a relative, will help us solve a problem or that has for us an economic or in-kind benefit.
Phishing deception is usually very elaborate as they can use VoIP, Voice over Internet Protocol. This technology allows them to transmit voice calls as digital data packets over IP networks instead of using the traditional method that sends analog signals over the public switched telephone network. And this technology allows to create numbers that supplant the identity of some mainly financial institutions, making the victim believe that the call is real. This makes it easy for scammers to spoof caller ID to look like they're called from a local number or even a company they have contact with. These criminal groups can even have Call Centers with personnel who recruit with experience having worked in these types of centers in such a way that they know the procedures and how to penetrate with people.
Many times, in case of not answering the call, they leave a voice message requesting that the call be returned and to see that it comes from a number of an institution with which it is related, it is answered either out of curiosity or to know the reason why they are looking for us. These calls are answered by automated voice systems that will request information and personal data, and many people do not hesitate to provide them since these systems are part of our daily lives.
Generally, the purpose of these Vishing calls is to obtain personal data such as credit card details, dates of birth, account access credentials, or electronic banking or simply collect telephone numbers of our contacts so that they can contact them using the information extracted from on the call to appear more legitimate.
These calls keep a pattern and usually occur at times of the day when we may be busy so we are less alert to the possible signs that tell us that it is a scam.
Some examples of Vishing calls that exploit some of the emotions are:
Greed - Through the impersonation of the distant relative who calls us to tell us that he has just arrived from abroad with gifts for the family but that he was stopped by the authorities at the airport because of the high value of the items he brings and that he needs us to send him money to let him pass. They even put us in contact with the "authority" to explain the situation. When the call starts, this type of contact, they take advantage of the condition of some people who out of shame do not accept that they do not know who is calling and often give the scammer's questions information that they use in the conversation to support the presumption of their identity and kinship with the victim.
Compassion - As in the previous case, we have a distant relative who is in trouble and who needs us to deposit a certain amount to get out of trouble. And with the intention of supporting you, the request is fulfilled so that you can respond to your need.
Fear - The call from the fraud area of our bank, where the caller ID of the phone "confirms" that it originates from the institution. In this, they inform us that in some remote place a purchase is being made with our credit card of a luxury item with a high value and that they need to validate with us if the purchase is legitimate and if not (which is the case) they need some data to be able to block this. To make us trust, in addition to giving our full name and some data they may already have from a stolen database such as date of birth, they give us the first 4 digits of our card, taking advantage of the fact that there are users who do not know that these numbers identify the institution that issues the card and that they are the same for thousands of users. Once the link is established, as part of the process (and to generate more trust) they contact us with the "specialized area" and during the call they play the background messages or music used in real calls of the institution. So, for fear of having to pay for this purchase and with the confidence that they will help us cancel this "purchase", personal data ended up being given that include the validation codes of real SMS messages from the financial institution that reach our phone and that allow them to directly access our electronic banking and with this, they can empty The S accounts.
In the latter case, the bank assumes no responsibility if we, even illegitimately, gave access to our account to a third party and they had extracted the resources from the account or purchased items with our line of credit with our valid passwords and access codes. This makes us automatically responsible for purchases and we must pay for them, even if we did not do it personally and for our benefit.
While we recognize that the clearest and most immediate objective of Vishing is to access our economic resources for a direct benefit, there are some other benefits for criminals such as using personal data to later request some credit on our behalf. use them to try to deceive our relatives or contacts by taking advantage of the personal information that was shared during the call.
While social engineering supported by Vishing seeks to exploit our human nature to fall into the plots of scammers, there are certain actions we can take to prevent us or our family members who, not having a good knowledge of technology, are victims of this type of crime.
The first and most important recommendation is that when receiving a call, validate that it is a real call, this can be done by contacting the bank directly through institutional channels (and not with some number that the scammer may have given us). We must always distrust who makes the call and validate that it is whom they say they are and not for the penalty, fall into their guessing game and that we end up giving the information with name and surname and tell them who it is.
You have to be aware that, although it is difficult to win in a public raffle or some prize of significant value such as a car or a property, in case you have not purchased a ticket, this becomes impossible and that, if true, they are not going to make a phone call to notify us of the prize but we first have to pay so that they can assign it to us. You must remember: if it's too good to be real, it's most likely not.
Comments