The Hidden Economy of Vishing Attacks

By Eynan Lichterman
image June 05, 2024 image 3 MIN READ

The phishing landscape has evolved significantly in recent years, encompassing various types of attacks. Many companies have developed taxonomies to categorize different phishing attacks, similar to the taxonomy presented by BlueVoyant. This taxonomy outlines several types of phishing attacks, such as:

  1. Email Phishing: The classic phishing attack involves sending emails to different entities within an organization. These emails are not heavily personalized, often using only the recipient’s title or name.
  2. Spear Phishing / Whaling: Unlike classic phishing, these emails are sent to a specific group and are heavily personalized, containing information about responsibilities or hobbies.
  3. Vishing: This is phishing conducted via voice, either through voice messages or phone calls.
  4. Smishing: Similar to email phishing but conducted via text messages (SMS or other applications).
  5. Clone Phishing: Involves cloning legitimate emails or messages and replacing the payload with a malicious link or attachment.
  6. Pharming: Creation of a fake website by cloning, using a similar name, or manipulating traffic to direct targets to a look-alike website.
  7. Pop-up Phishing: The attacker manipulates the user’s screen to display a notification from a different source, prompting the victim to click an unintended link or button.
  8. Evil Twin Phishing: The attacker mimics network equipment, such as a Wi-Fi hotspot, to trick the target into connecting to the attacker’s infrastructure.

The common thread among these attack types is the exploitation of human weaknesses. The primary motivation for most attackers is financial gain. They assess the necessary investment against the potential return and recognize the profit potential. Most of these attacks are digitally delivered, resulting in a marginal cost close to zero. However, vishing attacks present a unique challenge, with two main types:

Types of Vishing Attacks

  1. Automatic Attacks: In this newer type of attack, an automatic machine uses AI to mimic a legitimate attendant. These attacks are more cost-effective but currently suffer from limitations in mimicking accuracy and low conversion rates (the ratio of successful attacks to total attempts).
  2. Real Person Scenarios: In these attacks, a real person conducts the phone call. The call can be initiated by the attacker, or the target may be lured to call the attacker through a published number or a preliminary message (email or SMS).

Vishing attacks have been on the rise in recent years. In 2019, more than 43 million Americans lost money to vishing attacks. By 2021, this number had risen to over 59 million, representing an increase of more than a third in just two years.

Putting a real person behind the phone line is an economic challenge, requiring the attacker to hire a large number of employees. How does this operation work?

The Mechanics and Economics of Vishing Operations

Early this year, Europol’s “Pandora” operation, in collaboration with other police agencies, succeeded in shutting down 12 call centers used for vishing scams. These call centers were involved in various scams, from bank account fraud to impersonating police officers. This is not an isolated incident. In February, Cambodian police reported arresting over 300 Indians who were forced to work in cyber fraud farms. These gangs used human trafficking techniques to staff their operations.

The economy behind the vishing scene both sources and fuels criminal activities.

Lessons for CISOs

  1. Profitability of Vishing Operations: Despite the relatively high cost and risk, vishing operations are profitable for attackers. The increasing prevalence of these attacks indicates their effectiveness.
  2. Phishing as a Transverse Problem: Like other types of criminal activity, phishing operations can spill over into multiple forms of crime. The gangs running these operations are often richer and more sophisticated than anticipated.
  3. Awareness and Training: Many vishing operations are conducted by employees from foreign, often third-world countries. This can serve as an additional clue for training employees to recognize red flags, such as foreign accents or unfamiliar language patterns, which should prompt further scrutiny.

Organizations can better prepare and protect themselves against these evolving threats by understanding the underlying mechanics and motivations of vishing attacks.

Reach out to build your employee readiness against vishing attacks. Contact us today.