Skip to main content
Promotion: Promotional Banner Image

CUNA is now America’s Credit Unions.
A stronger voice to advance the credit union industry.

Learn More

Beware: The Latest Vishing Tactics


By TraceSecurity
November 16, 2023

As technology progresses and gets more advanced, social engineering like vishing become more and more difficult to separate the fake from the real. There are many tools that bad actors and hackers have implemented to steal information more easily. It’s always good to keep up to date on anything that might be developing in the cybersecurity world.

Artificial intelligence, or AI, has made things even harder for people to distinguish between what’s real and what isn’t. Originally, it was merely a phone call and trying to lead people to a dangerous website that can install malware or spyware onto your computer. Now, though, bad actors can train an AI program to mimic people’s voices and mannerisms. While AI might be good in some instances, it is becoming a pandemic in cybersecurity.

Statistics say that almost 1/4th of United States citizens lost money due to vishing scams. This can be detrimental not only in the workplace, but personally as well. However, with knowledge on the subject, there are specific ways that you can counteract vishing and other phishing attempts. AI can be difficult to notice, but with the proper precautions, you can be safe from these tools as well.

What is Vishing?

Vishing is a form of social engineering that falls under a form of “phishing.” Vishing is basically voice phishing, in which bad actors utilize phone calls and voice chats. They will either lead a victim to giving sensitive information or to a malicious website to install malware or dangerous programs. These hackers may call and pose as an IT person or a boss, but it’s always a good idea to verify who’s calling.

Types of Vishing Calls

ID Spoofing
The first line of attack that a bad actor uses is usually an identification spoof. Using computer programs, hackers can cause phone calls to appear as legitimate on a caller ID system. These could appear as other businesses or locations. More rarely, it can even appear as an internal number. Either way, as a business, these calls can’t be ignored, but it’s always important to verify.

Tech Support
One of the most common calls is technical support. A bad actor will pose as an IT worker calling to “verify” information or to lead a victim to a website. They will instruct that they need a test done, likely a speed test, to see if the network is working properly. There are plenty of other things they can ask, too, like IP addresses, server locations, or stating that they need passwords to access terminals.

AI Vishing
As mentioned above, artificial intelligence has come a long way. All it takes is a few phrases from a person and an AI program can match them. These phrases can come from a mere phone call and can be used to reproduce a friend or loved one’s voice. Television shows and movies can also be used to impersonate celebrities and other various important people in order to earn your trust.

Bad actors don’t have to talk to you to get into your phone. Notifications are easy to spoof when it comes to smartphones. These can come as a text message or email, letting you know that you’ve received a voicemail. Hackers will use these notifications to send you links to what might look like your voicemail, but it leads to a malicious site that can install malware onto your device. This blends with smishing as well.

Ways to Avoid Being Vished

There are plenty of bad actors out there, but there’s one thing that can stop them: security awareness. If you and your company are always on the lookout for suspicious activity, it can save you a lot of trouble in the long run. Security awareness training is becoming more and more necessary, including vishing simulations where third-party cybersecurity companies use vishing on employees.

While security awareness is the best defense, there are other things you can do to prevent vishing. Verification is always key. If you’re not expecting an IT call, it’s probably not from your IT company! If something seems off, it probably isn’t legitimate. If you’re called for a computer problem, a purchase order, or anything of the sort, be sure to verify with your actual IT professionals or supervisors.

Vishing is becoming a rampant problem in the world. With the advancement of technology, things like AI and ID spoofing are becoming easier. Bad actors will use any tool necessary to try to steal your information and money. These tools are being developed every day and it’s a constant battle between these malicious attacks and cybersecurity.

These calls have been fooling more and more people, so security awareness training is always a good idea. If something seems like it might be fake, it likely is. Always verifying is the best way to keep your personal and business information out of bad actors’ hands. Contact your IT professionals, especially if someone is asking for personal information like passwords or IP addresses. Legitimate sources won’t ask for sensitive information!

Connect with TraceSecurity to learn more.

About TraceSecurity

TraceSecurity has provided over 30,000 examiner approved reports, helping credit unions of all sizes maintain compliance year after year. A CUNA Strategic Services provider since 2006, TraceSecurity helps credit unions with a range of cybersecurity services, including risk assessments, penetration testing and IT audits. With a combination of software and services, TraceSecurity can help credit unions manage their information security program and supplement it with third-party validation.