Vishing: What you need to know to stay safe in 2024

When people are thinking about common vectors for cybercrimes, a voice phone call might not come to mind. However, over the last decades, criminals have found it increasingly profitable to gain information over the phone. Vishing, or voice phishing, is when a cybercriminal uses the phone to gain sensitive information from the recipient as part of a larger cyberattack. Here’s what you need to know to keep yourself safe from vishing attacks in 2024. 

TeamPassword makes it easy to keep your accounts safe from cybercriminals. Don’t believe us? Sign up for a 14-day free trial today and try for yourself.

[Table of Contents]

• What is vishing?
• Vishing example
• Vishing statistics
• Common vishing tactics
• How do you prevent vishing attacks?

What is vishing?

Here is a simple definition of vishing. 

Vishing definition: Vishing (voice phishing), sometimes referred to as a phone scam, is when cybercriminals use phone calls to gain sensitive information from the recipient as part of a cyberattack. 

What is the goal of vishing attacks?

Ultimately, vishing attacks like most cyberattacks, are about gaining money from the victim. This can be done directly, by getting the person on the phone to transfer money during that phone call or subsequent ones, often using cryptocurrencies or gift cards to make it harder to reverse and track the payments. 

However, for businesses, vishing attacks are often designed to get more money indirectly, by getting sensitive information, such as usernames and passwords, to further a larger sophisticated attack. 

For example, vishing is often part of a ransomware attack.

Vishing example 

If you search news sites for vishing examples, you’ll find dozens. Many of them are long-running scams that target the elderly and gain a few hundred to thousands of dollars per victim. However, the total gained can reach the millions as these scams are hard to investigate and easy to scale. 

While less common, vishing attacks also threaten business, and the total dollar value of a single attack can easily exceed millions of dollars. Caesars and MGM, two Las Vegas casinos, were attacked using vishing and spear phishing techniques together. 

Criminals used information found on LinkedIn to impersonate employees on the phone with the IT department. Then, they used the new credentials provided by IT to break into their systems and install ransomware. 

The results were devastating. MGM saw their cash flow drop by 10-20% and market capitalization decrease by $2 billion during the 10 days they were unable to operate. 

Caesars, unlike MGM, decided to pay a reported $15 million to the ransomware-as-a-service hackers. Indeed, if you allow the vishing scheme to get to the point where ransomware has been installed on your business’s system, then paying the ransom is often the most economical route.

Vishing statistics

Phone scams have been around for decades, but the nature of these schemes has changed dramatically in the last decade. Criminals are now able to “spoof” local phone numbers, even your grandchild or coworker’s phone number, to make their pitches seem more authentic. 

In addition, they can use information publicly available on Linkedin to further benefit their case. These tools combined with lots of practice have made it very hard for even IT professionals to recognize a visher. 

That’s why about one third of all Americans have fallen victim to a phone scam at some point. All of these attacks combined have pushed the economic cost higher, from $29.8 billion in 2021 to $39.5 billion in 2022. 

Around 300,000 to 400,000 vishing phone calls were recorded daily in America in 2022. Despite this, only 30% of professionals were familiar with the term “vishing” in 2022, up from 25% in 2019. 

Vishing represents the third most popular vector for cyberattacks on businesses, with the average loss from a successful attack reaching $10.1 million.

Common vishing tactics

According to the Federal Trade Commission (FTC), “There is no prize… You won’t be arrested… You don’t need to decide now… Only scammers demand you pay certain ways… [and] Government agencies won’t call to confirm your sensitive information.” 

That’s a pretty good summary of common vishing tactics. Basically, they use the same tools as marketers to make you feel like you need to make a decision now and the stakes are high enough that you should listen to the visher instead of your gut.

Here are some common specific vishing strategies:

• Bank or other account problems: The visher pretends to be from your bank and says there is an issue with your account. They might have just enough information to make you think it is legitimate. For example, the first four digits of your credit card is likely the same as every other person using the same bank. They then get you to give up more sensitive information so they can steal money from your account.

• Tax or other payment problems: In this case, the scammers pretend to be a member of a government organization (probably the IRS in America, CRA in Canada, and so on). They tell you that you must pay immediately as the fines on your tax return are increasing quickly. Remember, outside of Nicaragua, no government wants Bitcoin.

• Technical support: In this case, the vishers are looking to gain entry into some of your personal accounts, especially your email account. They can then use “lost password” functions or your tendency to reuse passwords to get into all of your other accounts. 

• Free prize: In this case, instead of scaring you into giving them money, they try to get payment information in exchange for the promise of a big prize.

• Impersonation: Instead of posing as a bank or other organization, some vishing attacks include impersonating a specific person. Common examples include posing as the CEO or CFO of your employer, or as your grandchild. 

• Investment or timeshare scams. Vishers might convince you that, if you pay right now, you can lock in a great investment deal, or cheap vacation, or really anything else that someone might be tempted to accept.

• Charity scams: Fear and excitement can get you to do something you might not otherwise, but so can sadness or guilt. Charity scams do just that by making you feel sad or guilty and therefore more inclined to hand over payment information. 

How do you prevent vishing attacks? 

No vishing attack can succeed if you do three things: slow down, hang up, and call back. 

1. Slow down: The IRS is not going to put you in a position where you have to pay a fine while on the phone. They definitely aren’t going to make you pay with crypto or gift cards! Whatever emotion they are pushing—fear, guilt, excitement—just take a couple of breaths and think about whether this is a scam.

2. Hang up: If you have even the slightest feeling something is a scam, then it’s almost definitely a scam. Simply hang up. If the call was legitimate, then you can find out during Step 3.

3. Call back: If someone from the Bank of America calls you, then you can always hang up, find the number online, and call that number to ask about your account. If the issue was legitimate, then they’ll know about it. Otherwise, pat yourself on the back for dodging a scam. 

As an IT leader, you should equip your team with the knowledge and tools they need to avoid vishing scams. 

1. Knowledge: A paltry 30% of Americans know the term vishing. While many more probably have a general idea of what phone scams are, they might not be aware of just how sophisticated they can be. You should be informing them of the pitfalls and how to protect the business from this major threat.

2. Tools: There are many types of software available to protect employees from vishing attacks. Foremost among the tools needed is a way to protect your most sensitive information. TeamPassword is the best password manager for teams. When your employees don’t need to know the credentials to share them, they can’t accidentally share them with hackers.

Use TeamPassword to prevent vishing attacks

TeamPassword can help you stay safe from the threat of vishing attacks. By creating and securely storing unique, random, and strong passwords for each account, they are off limits to those trying to steal your information. The less information available publicly, the harder it is for vishing calls to sound legitimate.

Furthermore, by making it easy to securely share passwords within the company, employees know that anyone asking for such information over the phone is a scammer. 

TeamPassword can protect your important accounts from vishers. Don’t believe us? Sign up for a 14-day free trial today and try for yourself.