To understand, with an example, what vishing is, imagine that after a long day at work you receive the following voice message on your cell phone: “Good morning, my name is Pedro González and I work for the company in charge of the security of your computer. We will stop offering our services next week, whereupon we offer you a $300 refund. Please call this number Monday through Friday during business hours…”
What would you think? Would you return the call or would you find it suspicious? What if they were not dollars, but the currency of your country? What if I mentioned an antivirus company whose product you use?
This example describes what vishing is, a dangerously effective type of attack that relies on social engineering techniques and in which the attacker communicates by phone or via voice message posing as a trusted company or entity with the intention of deceiving the victim and convince her to take an action that goes against her interests.
The word vishing comes from the union of voice and phishing, that is, it encompasses those phishing attacks that involve a voice, whether robotic or human. In these, the attackers can reach the victim through mass phone calls, such as a corporate call center, or by leaving voicemails.
In addition, among the favorite topics chosen by scammers for these communications, we find references to financial or security problems of our computer or mobile device, or the identity theft of a supposed family member or acquaintance, etc.
Although this technique may represent a higher cost and work on the part of cybercriminals, it is more effective than other similar forms of attack such as phishing: a more personal communication is achieved through a phone call than through an email, so emotional manipulation is easier to carry out. In extreme cases, the attacker simulates sadness or tears in the face of a supposed problem that is presented to him and that only the victim can solve.
In addition to monetary losses, vishing attacks can have consequences that are not so obvious for the victim, such as the use of their identity to deceive other users in the future.
The main recommendations to avoid being a victim of this type of fraud are: when receiving a suspicious call, verify its source. If it is an acquaintance, contact him, and if it is a supposed bank, check the reason for the call or if we have any associated service. It is also important to distrust the origin and if it is somewhat doubtful, end the communication as soon as possible. If the person who contacted us claimed to be from a company with which we are associated, it is advisable to communicate with the company through the official communication channels.