blog

Beware Of Voice Message Phishing Attacks Called Vishing

Written by Securafy Team | Jun 11, 2021 3:00:00 PM

Hackers and scammers have been experimenting with "vishing" in recent months, as a subset of phishing.

Conventional phishing tactics rely on sending emails that employ a variety of social engineering tricks to convince unsuspecting recipients to hand over sensitive information up to and including login credentials.

However, "vishing" adds a new angle: Voice, either via pre-recorded message or employing an email that contains a phone number with a live person at the other end, who will try to coax the desired information from the caller live and in person.

Worse, in the case of incorporating pre-recorded messages, scammers can take a scattershot approach, generating thousands, or even tens of thousands of emails. These emails point back to a fairly convincing-sounding pre-recorded message, and even spoof their caller IDs while doing it so they come across as legitimate operations.

Internet security firm Armorblox has been studying the issue and recently released a pair of case studies relating to the phenomenon. Both studies involve impersonating Amazon, with the goal of convincing unsuspecting users to give up their credit card details.

Armorblox's first case study involved a campaign that targeted more than nine thousand email addresses, sent from a Gmail account with the subject line of "Invoice: ID" followed by an invoice number and content that made it appear as though the communication came from Amazon.

According to the email, an order for some piece of tech (television, computer, gaming console, etc.) was placed by the recipient, and asking that individual to contact the company at the number provided if there are any questions or problems with the details. In this case, the included phone number is the "payload," or at least the gateway to the payload.

The second campaign the company tracked was functionally similar, but was only sent to some 4,000 inboxes. In both cases though, since there are no poisoned attachments, there's nothing for the spam filters of email systems to flag, which is what makes "vishing" such a dangerous phenomenon. Stay vigilant out there.