Vishing, short for “voice phishing,” is on the rise again. But then, it’s been rising almost exponentially for the past two years. Last summer various organizations were reporting anywhere between 500-650 percent increases over the previous six quarters. Now, as US citizens prepare their tax returns, the scam is getting another bump.
The Internal Revenue Service began warning US taxpayers in June of a surge of fake emails, text messages, websites, and social media attempts to steal personal information. “These attacks tend to increase during tax season and remain a major cause of identity theft throughout the year,” an IRS representative said.
“Often, criminals pose as someone the recipient knows or frequently interacts with, whether a social or family relationship or a business contact. They gather much of this information from social media. A person’s contacts or ‘friends’ are used to bait the recipient into thinking they’re dealing with someone they know.”
What is vishing?
Vishing refers to impersonating someone else with the purpose of scamming by phone rather than text or email. Many use voice-alteration software while others simply repeat the same scam from thousands of fake phone numbers that are very difficult to track. Once they get that information, the attacker can use it to hybridize the attack through text and email, or social engineering information about friends, family, and co-workers.
From an individual standpoint, there is little technology available to the general public to stop attacks like these.
First, there is the National Do Not Call registry that is free to the public that will have your number removed from calling lists in the US and there are similar services in the UK and Europe. However, if the call is coming from a call center outside of this jurisdiction they can ignore the local laws, and the fact is most vishing operations are in Asia, Africa, and Russia.
Paid for services
A few companies, most notably NoMoRobo, are supposed to stop calls from automatic dialers and known spam call centers, as well as spam texts. However, while the service is free for landlines, it costs about $20 a year to register your cell phone. However, if the calling number is not on NoMoRobo’s blacklist, it can get through, so the technology is not infallible.
Finally, there are settings on Android and iOS phones that will block any caller not on your phone contact list, but some scammers use a spoofing technique that will use the phone number of someone you know to bypass the block.
There are, however, changes in the works, and one company, Mutare, has been at the forefront for some time. Mutare’s AI includes a blacklist of offending callers and recognizes when automatic dialers and recorded messages are being used. It also studies patterns of calls, including where they come from. Mutare is only available to large corporations. In fact, NoMoRobo is a customer so it does touch the consumer level at that point.
However, the vulnerabilities of individuals are not as devastating as they are to corporations. GoDaddy was the victim of data theft with criminals stealing code, customer data, and passwords for three years before the breach was discovered. That vulnerability turned out to be the result of a vishing scam targeting GoDaddy employees to gain access to their servers.
We had a chat with Brian McDonald, director of product development and Mutare, about their technology and the problem of vishing. You can listen to it here.
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.