Vishing is Coming to a Voicemail Near You. Hackers and scammers have been experimenting with “vishing” as a subset of phishing in recent months. Vishing is phishing using voice messages to get access to your personal and financial information.
Conventional phishing tactics rely on sending emails that employ various social engineering tricks to convince unsuspecting recipients to hand over sensitive information up to and including login credentials.
However, “vishing” adds a new angle – voicemail – Voice, either via pre-recorded message or employing an email that contains a phone number with a live person at the other end, who will try to coax the desired information from the caller live and in person.
Worse, in the case of incorporating voicemail pre-recorded messages (vishing), scammers can take a scattershot approach, generating thousands or even tens of thousands of vishing emails. These emails point back to a fairly convincing-sounding pre-recorded message and even spoof their caller IDs while doing it to come across as legitimate operations.
Internet security firm Armorblox has been studying vishing voicemails and recently released a pair of case studies relating to the phenomenon. Both studies involve impersonating Amazon vishing voicemails with the goal of convincing unsuspecting users to give up their credit card details.
First Case Study Involves Amazon
Armorblox’s first case study involved a campaign that targeted more than nine thousand email addresses, sent from a Gmail account with the subject line of “Invoice: ID” followed by an invoice number and content that made it appear as though the communication came from Amazon.
An order for some piece of tech (television, computer, gaming console, etc.) was placed by the recipient, asking that individual to contact the company at the number provided if there are any questions or problems with the details. In this case, the vishing voicemail included phone number is the “payload,” or at least the gateway to the payload.
The second campaign the company tracked was functionally similar but sent to some 4,000 inboxes. In both cases, though there are no poisoned attachments, there’s nothing for the spam filters of email systems to flag, which makes “vishing” such a dangerous phenomenon. Stay vigilant out there.