Voice phishing is a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward. It is sometimes referred to as 'vishing' - a portmanteau of "voice" and phishing.
Landline telephone services have traditionally been trustworthy; terminated in physical locations known to the telephone company, and associated with a bill-payer. Now however, vishing fraudsters often use modern Voice over IP (VoIP) features such as caller ID spoofing and automated systems (IVR) to make it difficult for legal authorities to monitor, trace or block. Voice phishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.
Computer systems can create audio that sounds like a particular person speaking (deepfake), giving the impression that a trusted individual is making a request.
- The criminal either configures a war dialer to call phone numbers in a given region or list of phone numbers stolen from an institution.
- Typically, when the victim answers the call, an automated recording, often generated with a text to speech synthesizer, is played to alert the consumers that their credit card has had fraudulent activity or that their bank account has had unusual activity. The message instructs the consumers to call a specific phone number immediately. The same phone number is often shown in the spoofed caller ID and given the same name as the financial company they are pretending to represent.
- When the victim calls the number, it is answered by automated instructions to enter his or her credit card number or bank account number on the key pad.
- Once the consumer enters a credit card number or bank account number, the visher has the information necessary to make fraudulent use of the card or to access the account.
- The call is often used to harvest additional details, such as security Personal identification number (PIN), expiration date, date of birth, etc.
Although the use of automated responders and war dialers is preferred by the vishers, there have been reported cases where human operators play an active role in these scams, in an attempt to persuade their victims. Posing as an employee of a legitimate body such as the bank, police, telephone or internet provider, the fraudster attempts to obtain personal details and financial information regarding credit card, bank accounts (e.g. the PIN) as well as personal information of the victim. With the received information, the fraudster might be able to access and empty the account or to commit identity fraud. Some fraudsters may also try to persuade the victim to transfer money to another bank account or withdraw cash to be given to them directly.
Another simple trick used by the fraudsters is to ask the called parties to hang up and dial their bank, but after the victim hangs up, the fraudster does not, keeping the line open and remaining connected when the victim picks up the phone to dial. When in doubt, calling a company's telephone number listed on billing statements or other official sources is recommended, as opposed to calling numbers received from messages or callers of dubious authenticity. However, sometimes hanging up and redialing is insufficient: if the caller has not hung up, the victim might still be connected, and the fraudster spoofs a dial tone down the phone line to entice the victim to dial. Then the fraudster's accomplice answers and impersonates whomever the victim is trying to call. This is known as a 'no hang-up' scam. Hence consumers are advised to use a different phone when dialing a company's number to confirm.
Bank account data is not the only sensitive information being targeted. Fraudsters are also trying to obtain security credentials from consumers who use Microsoft or Apple products by spoofing the caller ID of Microsoft or Apple Inc..
In Sweden, Mobile Bank ID is a phone app (launched 2011) which is used to identify a user in internet banking. The user logs in to the bank on a computer, the bank activates the phone app, the user enters a password in the phone and is logged in. Fraudulent people have called people, claimed to be a bank officer, saying there is security problem and asked them to use their Mobile Bank ID app. The victim did not have to say the password. They have then logged in the fraudster on his computer. A second Mobile Bank ID app log in has approved a transfer of money, or for Nordea even approved the fraudster's phone to be able to approve usage of the victim's account. In 2018 the app was changed to it must photograph a QR code on the computer screen, making sure the phone and the computer is physically located in the same room, which has mostly eliminated this type of fraud.
Audio deepfakes have been used to commit fraud, by fooling people into thinking they are receiving instructions from a trusted individual.
- "Crooks Net Millions in Coordinated Edd heists — Krebs on Security". krebsonsecurity.com. Retrieved 2018-09-04.
- Romney, Marshall and Paul Steinbart (2015) Accounting Information Systems, 13th ed., Chapter 13 - The expenditure cycle: Purchasing to cash disbursements, Upper Saddle River, NJ:Pearson Education, p. 162
- Association, Press (2013-08-28). "'Vishing' scams net fraudsters £7m in one year". the Guardian. Retrieved 2018-09-04.
- "'Vishing' and courier scam complaints increase". BBC News. Retrieved 26 November 2015.
- "Barclays refunds grandmother's £68k following vishing scam". BBC. Retrieved 4 August 2014.
- Milligan, Brian (6 July 2015). "Banks not liable in most vishing fraud, says Ombudsman". BBC News Online. Retrieved 17 September 2015.
- Statt, Nick (5 Sep 2019). "Thieves are now using AI deepfakes to trick companies into sending them money". Retrieved 13 Sep 2019.
- https://www.bbc.co.uk/news/business-34425717 Legal career 'hit by vishing scam'
- https://www.bbc.co.uk/news/business-34153962 Caught on tape: How phone scammers tricked a victim out of £12,000 By Joe Lynam & Ben Carter BBC News
- vnunet.com story: Cyber-criminals switch to VoIP 'vishing'
- BBC News story: Criminals exploit net phone calls
- The Paper PC: Messaging Security 2006: Vishing: The Next Big Cyber Headache?
- The Register: FBI warns over "alarming" rise in American "vishing"
- Vice Media: How a Hacker Can Take Over Your Life by Hijacking Your Phone Number An assessment of how call centre staff handle a vishing call.