Infosec Home at The University of West Georgia

Log On

Vishing

 The term ‘vishing’ is combination of ‘voice’ and ‘phishing’, a practice we have addressed in a previous security tip. Vishing is simply using the act of social engineering over the telephone. It is another way for people with malicious intent to gain access to personal and financial information resulting in the identity theft of the victim. Typically it is used to steal credit card numbers or bank information.  

Example of a vishing attack:  

  1. A criminal makes calls using a list of phone numbers stolen from a financial institution.  
  2. Upon answering the call, the victim hears an automated recording more than likely created through a ‘text to speech synthesizer’. In the message the victim is ‘alerted’ to the fact that their credit card or bank account has had ‘fraudulent or unusual’ activity and is instructed to call a phone number immediately. 
  3. Part of the trap is that often that same number is also displayed on caller ID, possibly even with a bank name. It gives the victim the (false) sense that he or she is dealing with a real problem that needs to be handled.  
  4. When the victim calls the number that was given, it is answered by an automated system which instructs to enter a credit card number or bank account number on the phone’s key pad. 
  5. The call is often also used to obtain additional details such as PIN#, expiration date, date of birth, etc.  
  6.  When the credit card number or bank account number etc. is entered, the visher has all information needed to make fraudulent use of the card or to access the victim’s bank account.   
 Another way of doing this is via an ‘email phish’ instead of a phone call - the victim is instructed via email to ‘call the following phone number immediately’ and credit card or bank account information is gathered in much the same way as described above.Vishing is difficult for authorities to track. To protect yourself from a vishing attack, be very suspicious when receiving messages directing you to call the provided number to disclose credit card or bank information. The correct thing to do is to call your bank or credit card company to verify the legitimacy of the phone message.