Many Indians today, perceive that their Smart Phone is more trustworthy than their Computer or Laptop that they possess. However, thinking of the same, we (At Cyber Secure India) realise that the Smartphone in your hand is more vulnerable than a Computer or a Laptop. Here again, many of our Financial transactions and Financial Management is being done these days, using our Smartphone. Contemplating the conveniences that the Smartphone provides, we have now started to use our Smartphone for Banking Apps, Trading Account, Emails, OTP recipients, e-wallet holding, etc. The Vishing Attack on the mobile, is hence the best option for culprits to plan one, so as to facilitate the concurrent use of the Vishing Attack and execution of the Financial Theft.
What is Vishing
We are familiar with the word “Phishing”, which is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers, etc. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. Now, the Term “Vishing”, is a combination of “voice,” and “phishing,” which is, of course, the use of spoofed emails/spurious SMS/Malicious Whatsapp chat, to trick targets into clicking malicious links. Vishing is like phishing but can be conducted over Normal Phone call or VoIP phone call. “Vishing” occurs when criminals cold-call victims and attempt to persuade them to divulge personal information over the phone. Rather than E-mail, Vishing generally relies on phone calls to a Smartphone user as this will immediately facilitate the use of the Phone for executing the Financial Attack. “These scammers are generally after credit card numbers/Bank credentials and personal identifying information, which can then be used to commit financial theft.
There are different techniques that a “Vishing” attacker uses to obtain a phone number and identify the prospective victim:
- Wardialing: This is when a visher uses an automated system to target specific area codes with a phone call involving local or regional banks or credit unions. When someone answers the phone a generic or targeted recording begins, requesting that the listener enter a bank account, credit, or debit card number and PIN.
- VoIP: VoIP (Voice over Internet Protocol), is an Internet-based phone system that can facilitate vishing by allowing multiple technologies to work in tandem. Vishers are known to use VoIP to make calls, as well as to exploit databases connected to VoIP systems.
- Caller ID Spoofing: This is the practice of causing the telephone network to display a false number on the recipient’s caller ID. A number of companies provide tools that facilitate caller ID spoofing. VoIP has known flaws that allow for caller ID spoofing. These tools are typically used to populate the caller ID with a specific bank or credit union, or just with the words “Bank” or “Credit Union.”
- Social Engineering: Social engineering is a fancier, more technical form of lying. Social engineering (or social penetration) techniques are used to bypass sophisticated security hardware and software. The automated recordings used by vishers tend to be relatively professional and convincing.
- Dumpster Diving: One time and tested “hack” is simply digging through a bank’s dumpster and salvaging any lists of client phone numbers. Once a visher has the list, he can program the numbers into his system for a more targeted attack.
Here are a few ways to protect yourself against Vishing:
A Smartphone user should be well aware of such attempts and should be cautious of the Vishing Attacker making a call on the same device on which the Culprit can also execute the attack, mainly due to the reason that all our financial links are on the Smartphone. So it’s no surprise, in the latest technique of attack, vishing, is focused on utilising VoIP systems and making calls to the Smartphone to gain access to personal information.
Knowledge is the key to defending yourself from vishing. The better understanding of it will always guard us from such attacks. It is better to read-up on those materials supplied by banks on vishing incidents and taking precautions against it. More so, as the crimes are becoming more and more sophisticated as days go by.
- Be wary of incoming calls. If you receive an incoming call and a person or automated system requests personal information, cut the call immediately. Remember, Caller ID creates a false sense of security, so don’t trust it. Before you give out any information to someone claiming to be from your bank or a company you trust, calling that company directly to verify there’s a need for that information. Locate the phone number through the official bank website or on your bank card, not by Googling.
- Don’t call a number left in a voicemail or text message. Your bank is not going to send you a text message and prompt you to call them. Also, before calling a number in a text message or voicemail, verify the number using the correct and authentic means.
- Download apps through official channels. Go to the iTunes or Google Play store to download your bank’s official app. “[Phishers] will send you a text message with a link to an app on a third-party server,” It’s not as easy to install it, but once you do that, it’s completely seamless. They can make it look completely like the bank’s app.
- Don’t click links from unverified senders. Shortened links on a mobile device can be hard to verify and may link to malicious content. Without being able to see a full address, it’s difficult to tell if the website or sender is legitimate. You also can’t hover over a link like you can from your computer and get a preview of a linked word or graphic.
- Report suspected spam. Document as much information as you can, including what was said, the phone number of the caller and the information the person or system requested so you can report it to your bank as soon as possible. Each bank has also got a crime reporting number and a portal.