Vishing is the criminal practice of using social engineering over the telephone system, most often using features facilitated by VoIP, to gain access to personal and financial information from the public for the purpose of financial reward. The term is a combination of V-voice and Phishing. Vishing is usually used to steal credit card numbers or other related data used in ID theft schemes from individuals.

The most profitable uses of the information gained through a Vishing attack include:

• ID theft
• Purchasing luxury goods and services
• Transferring money/funds
• Monitoring the victims' bank accounts
• Making applications for loans and credit cards

How Vishing Works

The criminal can initiate a Vishing attack using a variety of methods, each of which depends upon information gathered by a criminal and criminal's will to reach a particular audience.

1. Internet E-Mail: It is also called Phishing mail

2. Mobile text messaging

3. Voicemail: Here, victim is forced to call on the provided phone number, once he/she listens to voicemail.

4. Direct phone call: Following are the steps detailing on how direct phone call works:

• The criminal gathers cell/mobile phone numbers located in a particular region and/or steals cell/ mobile phone numbers after accessing legitimate voice messaging company.
• The criminal often uses a war dialer to call phone numbers of people from a specific region, and that to from the gathered list of phone numbers.
• When the victim answers the call, an automated recorded message is played to alert the victim that his/her credit card has had fraudulent activity and/or his/her bank account has had unusual activity. The message instructs the victim to call one phone number immediately. The same phone number is often displayed in the spoofed caller ID, under the name of the financial company the criminal is pretending to represent.
• When the victim calls on the provided number, he/she is given automated instructions to enter his/her credit card number or bank account details with the help of phone keypad.
• Once the victim enters these details, the criminal (i.e., visher) has the necessary information to make fraudulent use of the card or to access the account.
• Such calls are often used to harvest additional details such as date of birth, credit card expiration date, etc.

Some of the examples of vished calls, when victim calls on the provided number after receiving phished E-Mail and/or after -listening voicemail, are as follows:

1. Automated message: Thank you for calling (name of local bank). Your business is important to us. To help you reach the correct representative and answer your query fully, please press the appropriate number on your handset after listening to options.

• Press 1 if you need to check your banking details and live balance.
• Press 2 if you wish to transfer funds.
• Press 3 to unlock your online profile.
• Press 0 for any other query.

2. Regardless of what the victim enters (i.e., presses the key), the automated system prompts him to authenticate himself: "The security of each customer is important to us. To proceed further, we require that you authenticate your ID before proceeding. Please type your bank account number, followed by the pound key."

3. The victim enters his/her bank account number and hears the next prompt: "Thank you. Now please type your date of birth, followed by the pound key. For example 01 January 1950 press 01011950 ."

4. The caller enters his/her date of birth and again receives a prompt from the automated system: "Thank you. Now please type your PIN, followed by the pound key."

5. The caller enters his PIN and hears one last prompt from the system: "Thank you. We will now transfer you to the appropriate representative."

At this stage, the phone call gets disconnected, and the victim thinks there something wrong with the telephone line; or visher may redirect the victim to the real customer service line, and the victim will not be able to know at all that his authentication was appropriated by the visher.

How to Protect from Vishing Attacks

• Be suspicious about all unknown callers.
• Do not trust caller ID. It does not guarantee whether the call is really coming from that number, that is, from the individual and/or company - caller ID Spoofing is easy.
• Be aware and ask questions, in case someone is asking for your personal information.
• Call them back. If someone is asking you for your personal or financial information, tell them that you will call them back immediately to verify if the company is legitimate or not. In casse someone is calling from a bank and/or credit card company, call them back using a number displayed on invoice and/or displayed on website.
• Report incidents: Report Vishing calls to the nearest cyberpolice cell with the number and name that appeared on the caller ID as well as the time of day and the information talked about or heard in a recorded message.