Voice phishing is the criminal practice of using social engineering over the telephone system to gain access to private personal and financial information from the public for the purpose of financial reward. The term is a combination of "voice" and phishing. Voice phishing exploits the public's trust in landline telephone services, which have traditionally terminated in physical locations known to the telephone company, and associated with a bill-payer. Voice phishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.
Some fraudsters utilise features facilitated by Voice over IP (VoIP). Features such as caller ID spoofing (to display a number of their choosing on the recipients phone line), and automated systems (IVR).
Voice phishing is difficult for legal authorities to monitor or trace. To protect themselves, consumers are advised to be highly suspicious when receiving messages directing them to call and provide credit card or bank numbers. When in doubt, calling a company's telephone number listed on billing statements or other official sources is recommended as opposed to calling numbers received from messages or callers of dubious authenticity - but be sure that if you have just come off a call, that the caller has not hung on, and is not trying to spoof a dial tone down the phone line when you pick up.
- The criminal either configures a war dialer to call phone numbers in a given region or list of phone numbers stolen from an institution.
- Typically, when the victim answers the call, an automated recording, often generated with a text to speech synthesizer, is played to alert the consumer that their credit card has had fraudulent activity or that their bank account has had unusual activity. The message instructs the consumer to call the following phone number immediately. The same phone number is often shown in the spoofed caller ID and given the same name as the financial company they are pretending to represent.
- When the victim calls the number, it is answered by automated instructions to enter their credit card number or bank account number on the key pad.
- Once the consumer enters their credit card number or bank account number, the visher has the information necessary to make fraudulent use of the card or to access the account.
- The call is often used to harvest additional details such as security PIN, expiration date, date of birth, etc.
Although the use of automated responders and war dialers is preferred by the vishers, there have been reported cases where human operators play an active role in these scams, in an attempt to persuade their victims.
Another simple trick used by the fraudsters is to ask the called party to hang up and dial their bank - when the caller hangs up, the fraudster does not, keeping the line open and remaining connected when the victim picks up the phone to dial.
- vnunet.com story: Cyber-criminals switch to VoIP 'vishing'
- BBC News story: Criminals exploit net phone calls
- The Paper PC: Messaging Security 2006: Vishing: The Next Big Cyber Headache?
- The Register: FBI warns over "alarming" rise in American "vishing"