Well-known US cybercrime journalist Brian Krebs recently published a warning about vishing attacks against business users.
The FBI promptly followed up on Krebs’s article with a warning of its own, dramatically entitled Cyber criminals take advantage of increased telework through vishing campaign.
So, what is vishing?
And how does it differ from phishing, something that most of us see far to much of?
The V in vishing stands for voice, and it’s a way of referring to scams that arrive by telephone in the form of voice calls, rather than as electronic messages.
Of course, many of us use voicemail systems that automatically answer and record messages when we aren’t able or willing to take a call in person, and many modern voicemail systems can be programmed to package up their recordings and deliver them as email attachments or as web links.
So the boundary between voice calls and electronic messages is rather blurred these days.
Nevertheless, many of still routinely pick up calls in person when we can – especially those of us who run a business, or who have family members we’re supporting through coronavirus lockdown or who aren’t well and might need urgent help.
We know several people who keep a landline especially as a contact point for family and friends.
They give out their landline number sparingly on what you might call a “need-to-know” basis, and use their mobile number – which is comparatively easy to change if needed, and easy to monitor and filter using a suitable app – for day-to-day purposes where giving out a working number can’t easily be avoided.
As you can imagine, however, the crooks only need to uncover your phone number once, perhaps via a data breach, and they can call it forever, especially if it’s a landline that you’re keeping because people who are important to you know it and rely on it.
Semi-targeted phone attacks
The crooks don’t even need to know any details behind your number to abuse it, in the same way that they don’t need to know your full name, where you live or what you do for a living in order to spam and scam you by email.
Obviously, the more an attacker knows about you, the more they can tailor their scams – or target them, in the military jargon that’s become trendy in the cybersecurity field.
Even being able to say “Hello Your Real Name” instead of “Dear Customer” makes a message more believable, and including personal information can make a spam or scam more convincing still.
That’s why porn scammers, also known as sextortionists, who email to demand money for “suppressing” a prurient video of you (one that they don’t have because it doesn’t exist), include personal data in the message, such as your phone number or an old password.
They do this as a way of “proving” that they really did hack your computer, even though they almost certainly acquired the data from an ancient data breach.
Vishing scams, however, just like smishing scams (phishing via SMS), can sound realistic even if the crooks can do no better than guess at your online life.
Unlike emails, SMSes and voice messages – especially automated ones that use a synthetic voice and don’t need to be interactive – can get away with being stripped to the basics.
SMSes are limited to 160 characters, while voice messages are limited by the fact that about 30 seconds is the longest that people are likely to listen with any sort of attention to a recorded warning – and that is enough time for just 60 words dictated with any clarity.
And by picking a popular and widely-used service as the theme of the scam – such as a well-known global home delivery brand, or email provider, or payment processor, the crooks have a good chance of guessing correctly for a significant minoirity, perhaps even an absolute majority, of recipients.
Vishing at home
60 words or so turns out to be more than enough to create a believable bait, especially when it’s a voice message that lacks the permanence of an email or an SMS.
And, in the UK at least, there seems to have been a recent surge in home delivery vishing campaigns.
We can’t tell whether this is just one group of crooks who are focusing on both vishing and the UK at the moment, or if it’s a broader global trend, but we (and people we know in the UK) are experiencing unwanted vishing calls at a much greater rate than any time in the past few years.
We’re not talking about interactive scams here, like those fake technical support calls where a crook with the gift of the gab call up out of the blue to pester, lie, cheats and frighten you about made-up malware on your computer in order to talk you into buying a fraudulent “cleanup service” that you didn’t need in the first place.
This new wave of calls are automated, using voice synthesis to “speak” with diction and an accent that is nearly, but not quite, as good as Siri, and they seem to follow a shorter and much crisper script than similar scams we’re aware of from he past couple of years.
Most older recordings we’ve heard have English text with poor wording and grammar that was either synthetically generated by poor-quality voice software or dictated by someone reading inexpertly from a printed script.
But this latest batch sounds much more believable, following scripts roughly along these lines (we don’t have recordings, so these are paraphrased from various Naked Security readers’ memory):
Your Amazon order for [several hundred pounds ending in -99] has now been processed. Your [phone product] will soon be dispatched and you should receive it in [a small number] of days. For further information or to cancel the order, press 1 now to speak to an operator.
Your Amazon Prime subscription will auto-renew. Your card will be billed for [several tens of pounds ending in -.99]. To cancel your subscription or to discuss this renewal, press 1 now.
One of our readers pressed 1 to see what would happen (we don’t recommend doing this, simply because the only thing you can be certain of is that you will be talking to an out-and-out criminal who knows your phone number and perhaps even where you live).
As you can probably imagine, the reader ended up talking to a real human in what sounded like a boiler-room call centre, just as you would if you were called directly by one of those technical support scammers claiming to be from Microsoft or your internet provider.
Why it works
The sad things about this sort of scam are:
- The crooks use internet telephony (VoiP), so they pay close to zero for the calls.
- The calls emerge into the landline or mobile network inside your country, so they often show up with a believable local number.
- Synthetic voice calls are widely used by legitimate businesses these days, so they are no longer a telltale sign that the call is suspicious.
- The call centre crooks only ever deal with “already active” callers who have pressed
1, making their scamming process more efficient. - The calls are hard to avoid, especially if they arrive on a line that you keep primarily for family emergencies.
- The incoming call numbers change all the time, so that adding them to your phone’s blocklist, if it has one, doesn’t help much.
- Reporting them feels like a waste of time, because the callers are almost certainly outside the jurisdiction of your own telecommunications regulator.
What to do?
Unfortunately, this is one of those cybercrimes for which we don’t have a good set of “this will fix the problem” answers.
Some people find that running all their calls through voicemail acts as a filter and stops the calls being intrusive, but if it’s a landline you rely on for the timely report of family emergencies then you still need to let the phone ring aloud to alert you to the call, and you may not know what incoming numbers to expect anyway.
(If your emergencies include possible calls from healthcare workers or hospitals, you will often find that those people and organisations withold their numbers to cut down on nuisance replies or to protect the privacy of the workers involved.)
Reporting unwanted phone calls can be somewhere between impossible, if the number is witheld and very hard, depending on your country.
For example, in the UK there is – rather annoyingly – a different procedure for reporting scam calls, which is where someone calls you up and talks a load of lies or unwanted junk into your ear, and abandoned or silent calls (“hangups”), which is where the caller cuts the connection before a human comes on the line at their end.
Calls where the other end doesn’t say a word, either through an unnerving silence or by using an automated voice only, are understandably considered creepier and therefore criminally more serious than viva voce, in-your-ear dishonesty, and are therefore regulated differently.
In the former case, in our experience trying to report rogue callers in the UK in the past, you can make your report anonymously; in the latter, the process is more complicated and you have to say who you are, presumably because scam calls are a regulatory issue but abandoned and silent calls may be a criminal offence.
So, if you can recover the caller’s number and are willing to report it, we encourage you do to so.
But we accept that this may be too much effort, or require too much personal involvement, for some people in some countries, so we’re not going any further than encouragement here.
All we can advise as a matter of routine is the rythmic and easily-rememered ditty that the Australian cybersecurity industry came up with many years ago as a way of thinking about how you deal with spammers and online charlatans: Don’t try. Don’t buy. Don’t reply.
Don’t let yourself get sucked, surprised or seduced into taking any direct action – not even if you think it might be amusing to see who’s at the other end – after all, you’re talking to a crook, so the best thing that can happen to you is nothing.
If you are worried about a fraudulent transaction, whether it’s via Amazon or any other coronavirus-friendly online merchant, login to your account yourself, or call the company’s helpine yourself, using contact information you already have.
Never rely on information provided inside an email, or read out to you in a call, as a way of deciding whether to believe the email or the call.
After all, if the call or email is true, the reply you will receive will be truthful and will say, “It’s true.”
But if the call or email is false, the reply you will receive will be a lie, and will also say, “It’s true”!
