What is Vishing?

To understand what "Vishing" is you must first be familiar with the terms "VoIP" and "Phishing."

VoIP: VoIP (Voice over IP) is a telecommunications breakthrough enabling telephone calls over the Internet or internal corporate networks.

Phishing: Phishing is an attempt to illegally gather personal information, such as usernames, passwords or credit card details, by acting as a legitimate and trustworthy entity through internet communication. This offense is normally performed through email or instant messaging, and typically directs users to enter their data onto a website.

Vishing: The word "Vishing" is a combination of VoIP and Phishing, and marries an older form of communication (telephone) with modern technology (VoIP and internet communication). Vishing uses the trusted telephone rather than a link in an email to obtain private, personal, and financial information from those who can be easily coerced into making a phone call and divulging their personal, confidential information.

How Does It Work?

While vishing attacks can originate as an email or a telephone call, the strategy of each is basically the same. The recipient is directed to call a phone number they believe is affiliated with their financial institution or a company with whom they do business.

In a vishing attack, the phone number dialed belongs to the perpetrator's VoIP phone, which is programmed to recognize key strokes or phone tones. Typically, the recipient will hear a message asking them to enter their account number via the phone keypad to verify their identity.

A perpetrator can easily glean valuable numeric information via the telephone. Numbers are easier than letters to transmit when responding to a vishing attack. As a result, victims are likely to divulge the following:

  1. Social Security numbers
  2. Account numbers
  3. Personal identification numbers (PINs)
  4. Credit card numbers, expiration dates, and card security codes
  5. Birthdays

Due to wide use of these types of data entry methods by financial institutions, most people are comfortable doing this, and feel secure entering in the numbers.

Why Does It Work?

Vishing is successful and attractive to perpetrators because:

  1. The telephone is a trusted communication tool
  2. The public generally accepts and has adopted automated phone validation systems
  3. Specific population groups, such as the elderly, are more easily targeted due to their comfort level with the traditional telephone system
  4. Caller ID information is easily masked or misrepresented
  5. Automated calling is simple to accomplish
  6. The increased use of call centers, often located in foreign countries, promotes victims' acceptance of strangers requesting confidential information
  7. VoIP makes it very inexpensive to make and receive calls
  8. VoIP provides the ability to route phone traffic internationally using proxies to hide the source of the attacks

Vishing Concerns

Because vishing utilizes VoIP, it is very difficult for authorities to monitor and trace. VoIP provides the ability to mask identity, location, or phone number (spoof caller ID), and provides inexpensive automated systems and anonymity for the person behind the operation. In addition, VoIP providers allow customers to select any area code and prefix, making it easy for a perpetrator to use a local area number to blanket unsuspecting victims by war dialing the vicinity, or sending mass emails. Victims who call the "local" number have no idea their call is being routed to a distant location via the Internet.

Voice recognition technologies have also reached an advanced level and are relatively inexpensive to acquire. Sophisticated vishers are not merely restricted to numeric data and can steal additional information details such as names and addresses via these additional technologies.

Once the perpetrator has gained this information, it is easy for them to perform the following acts:

  1. Take control of victim's financial accounts
  2. Steal victim's identities
  3. Make applications for loans and credit cards
  4. Purchase expensive goods and services
  5. Transfer stocks, securities or other funds
  6. Receive government benefits
  7. Obtain personal travel documents
  8. Hide criminal activities, such as money laundering

How Do I Protect Myself?

Common sense is your best defense.

  1. Be skeptical of anyone contacting you and attempting to gain your private banking or personal information.
  2. If you receive an email directing you to call a specified telephone number, disregard it and contact the financial institution directly with a number you know is valid, such as the one from your account statement or telephone book.
  3. Educating others can be very helpful. Let your friends and neighbors know what you have learned about vishing and other security related matters and caution them to be on guard for these types of attacks.

What To Do If You Are A Victim Of Vishing

If you think you are a victim of vishing, contact the financial institution immediately and notify them of the issue. Additionally, you should consider contacting the Internet Crime Complaint Center (IC3) immediately at The IC3 serves as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding arena of cyber crime.

The bottom line is that you should always consider and verify the source before divulging any personal information. Once you give information to a con artist, it is gone, and there is no way to get it back completely.

These helpful tips are provided by Digital Defense, Inc., a computer security company working with your bank as a responsible member of the community to help insure the privacy and security of our nation's financial information.