How Voice Phishing Works (Vishing)

Man

Professional
Messages
3,218
Reaction score
783
Points
113
Voice phishing (Vishing) is a type of social engineering in which an attacker calls the victim by phone, posing as an employee of a bank, support service, government agency or other trusted person in order to trick confidential data (passwords, PIN codes, card numbers, 2FA codes, etc.). This is an illegal and dangerous practice that can lead to financial losses and personal data leaks. Below are the technical and psychological aspects of vishing attacks for educational purposes.

1. How does Vishing work?​

Step 1: Preparation​

The attacker collects information about the victim:
  • First name, last name, phone number (via data leaks, social networks or random dialing).
  • Information about the bank, mobile operator or service used by the victim.
  • Security questions (e.g. mother's name, city of birth) are often publicly available.

Step 2: Call the Victim​

Attacker:
  • Uses VoIP services (e.g. Skype, SIP telephony) to mask the number.
  • Introduces himself as an employee of a bank, tax office, police or support service.
  • Creates a sense of urgency:
    "Your account has been hacked, please send me the 2FA code immediately!"
    "There are suspicious transactions on your account. Please provide the PIN code to block it."

Stage 3: Psychological pressure​

The attacker uses manipulation tactics:
  • Fear: "If you don't provide your data, your account will be blocked forever!"
  • Trust in authority: "I'm calling from the Central Bank's security department."
  • Urgency: "You have 5 minutes to confirm your identity, otherwise the money will be stolen."

Step 4: Obtaining Data​

The victim, believing the threat, says:
  • 2FA codes received via SMS.
  • Account passwords.
  • Card numbers and PIN codes.
  • Transfers money to a "safe account".

Step 5: Using the data​

Attacker:
  • Logs into the victim's accounts (banking, mail, crypto wallets).
  • Transfers money to his own accounts or sells data on the darknet.
  • Uses the information for further attacks (for example, on the victim's friends or relatives).

2. Technologies used in Vishing​

A. Spoofing (number masking)​

  • The attacker changes the number displayed on the victim's screen to make it look official (for example, a bank's customer service number).
  • Tools: VoIP services with Caller ID change function (e.g. SpoofCard, Burner).

B. Answering machines and voice robots​

  • Used for mass mailings of automatic messages, for example:
    "Call XXX-XXX immediately to unblock the card!"
  • Tools: Twilio, Amazon Polly (for speech synthesis).

C. Voice templates and AI​

  • Modern AI models (like Google Duplex) can mimic natural speech, making calls more convincing.
  • Example: An attacker records the victim's voice from social media and uses AI to create fake messages.

D. Roaming and international calls​

  • Fraudsters from one country call victims in another, using local numbers to increase trust.
  • Example: A number with a US area code (+1) calls a victim in Russia, claiming to be from a local bank.

3. Examples of real Vishing attacks​

Example 1: Attack on bank clients​

  1. The attacker calls the bank's client and says:
    "We have noticed suspicious activity on your account. To confirm your identity, send the code from the SMS."
  2. The victim, frightened, gives the code, and the attacker transfers the money to his account.

Example 2: Vishing via crypto exchanges​

  1. The attacker calls the owner of the crypto wallet:
    "Your account has been hacked. Transfer funds immediately to our secure wallet for protection."
  2. The victim transfers bitcoins to a specified address, which is controlled by the attacker.

Example 3: Spoofing Apple Support​

  1. The attacker calls the iPhone user:
    "Your Apple ID has been locked due to suspicious login. Please provide your password to unlock your account."
  2. After receiving the password, the attacker blocks the victim's device and demands a ransom (Ransomware attack).

4. Why is Vishing dangerous?​

  1. Highly effective: People tend to trust the voice, especially if the call seems official.
  2. No digital footprints: Unlike phishing sites, calls are difficult to trace.
  3. Psychological pressure: Fear and urgency reduce the victim's critical thinking.
  4. Difficulty of proof: It is difficult to quickly identify the attacker, especially if he uses anonymous VoIP services.

5. How to protect yourself from Vishing?​

A. Do not transmit data over the phone​

  • Banks, tax authorities and services never ask for passwords, PIN codes or 2FA codes.
  • If the call seems suspicious, hang up and call the official number.

B. Check the authenticity​

  • Ask the caller his name, title and department.
  • Call the company's official number (find it on the website or receipt) and clarify the information.

C. Use secure authentication methods​

  • Ditch SMS codes in favor of:
    • Hardware tokens (YubiKey).
    • Authenticator applications (Google Authenticator, Authy).
    • Secure keys (FIDO2).

D. Training and Awareness​

  • Educate loved ones (especially older ones) about the risks of vishing.
  • Conduct social engineering training (e.g. attack simulations) in companies.

E. Use Call Blocking Tools​

  • Install spam blocking apps:
    • Truecaller (Android/iOS) — identifies suspicious numbers.
    • RoboKiller - blocks autodialing.

F. Limit access to personal data​

  • Do not publish in the public domain:
    • Phone number.
    • Date of birth.
    • Mother/Father's name.
  • Use private profiles on social networks.

6. Legal consequences​

Vishing violates the laws of many countries:
  • USA: Computer Fraud and Abuse Act (up to 10 years in prison for fraud).
  • Russia: Article 138 of the Criminal Code of the Russian Federation (unauthorized access to computer information) and Article 159 (fraud).
  • EU: GDPR (unlawful collection of personal data, fines up to €20 million).

7. Educational resources​

If you want to learn how to protect against vishing and other attacks:
  • Books: "The Art of Deception" (Kevin Mitnick), "Hacking Exposed 7" (McGraw-Hill).
  • Platforms: TryHackMe (social engineering courses), OWASP.
  • Certifications:
    • Certified Ethical Hacker (CEH) - analysis of social engineering methods.
    • CISSP — Cybersecurity.

Summary​

Vishing is a dangerous attack that relies on human manipulation. Never share sensitive data over the phone, even if the call seems official. Instead, focus on protecting your data and educating those around you. If you're interested in practical examples or code to teach, let me know!
 
Last edited by a moderator:

Voice Phishing (Vishing): How Fraudsters Cheat Over the Phone​

Vishing (from Voice + Phishing) is a type of fraud in which attackers use phone calls to trick victims into revealing sensitive information (passwords, card details, 2FA codes) or forcing them to perform dangerous actions (transfer money, install malware).

How does Vishing work?​

1. Preparation​

Scammers:
  • They collect information about the victim (from social networks, database leaks, phishing sites).
  • They mask the number (change the Caller ID to make calls on behalf of a bank, government agency, or technical support).
  • They prepare a scenario (simulate problems with a card, a fine, an account, etc.).

2. Call the victim​

The criminal introduces himself:
  • Bank employee ("Your card is blocked, please provide your CVV code").
  • Technical support ("Your computer is infected, install AnyDesk").
  • To civil servants ("You have an unpaid fine, otherwise there will be a court case").
  • A colleague or boss ("I urgently need access to the corporate system").

3. Manipulation and data extortion​

Social engineering methods are used:
  • Intimidation ("They'll write off all your money now!").
  • Urgency ("Decide quickly, otherwise it will be too late!").
  • Flattery ("You are a competent user, help us check the system").

The goals of the attackers:
✔ To gain access to a bank account (login, password, SMS code).
✔ To find out the card details (number, expiration date, CVV, 3D-Secure code).
✔ To force installation of a virus (AnyDesk, TeamViewer, malicious APKs).
✔ To force transfer of money ("To unblock the account").

Examples of real Vishing attacks​

  1. "Bank Visser"
    • Call: "Your card has been hacked, please provide the code from the SMS to cancel the transfer."
    • Result: the money goes to the scammers’ account.
  2. "Microsoft Technical Support"
    • Call: "Your Windows is infected, install a cleaning program."
    • Result: The victim installs a RAT (remote access virus).
  3. "Fine from the traffic police"
    • Call: "You haven't paid the fine, transfer the money, otherwise there will be a trial."
    • Result: transfer to a fake account.

How to protect yourself?​

1. Do not tell anyone:​

  • Codes from SMS (banks never ask for them over the phone).
  • Card details (CVV, expiration date, full number).
  • Passwords (even if the caller introduces himself as "admin").

2. Check the caller:​

  • Don't trust Caller ID - it can be spoofed.
  • Call back to the official numbers (listed on the bank/organization website).
  • Ask for personal information (if it's a "bank" - have them name their latest transactions).

3. Don't give in to pressure​

  • "Urgent" = dangerous - scammers love artificial deadlines.
  • "Otherwise they'll block you" - real services don't work like that.

4. Use protection:​

  • Antispam applications (Yandex.Antispam, Hiya).
  • Biometrics and 2FA (so that even if the password is leaked, the account is protected).

What to do if you get caught by Vishing?​

  1. Block your card/account immediately.
  2. Call the bank (using the official number!).
  3. Check your devices for viruses (if you installed software).

Important: Vishing is often combined with other attacks (SIM swapping, phishing). Be vigilant!

Conclusion: Never trust unexpected calls - always double-check information through official channels.
 

What is voice phishing (vishing)?​

Vishing (from the English "voice" and "phishing") is a type of fraud in which criminals use phone calls to deceive victims into giving up confidential information, such as bank card details, passwords, or personal data. This method is based on social engineering and manipulation of the victim's emotions.

How does vishing work?​

  1. Collecting information about the victim:
    • Fraudsters may collect data about the victim in advance from data leaks, social media, or the dark web. This allows them to appear more credible.
  2. Number substitution and trust creation:
    • Fraudsters often use number substitution (spoofing) to make the call appear to come from a bank, government agency, or other legitimate organization.
    • They may pose as bank employees, technical support staff, or even relatives of the victim.
  3. Creating a sense of urgency:
    • Fraudsters escalate the situation by claiming that there is a problem, such as suspicious activity in a bank account or the threat of arrest. This forces the victim to act quickly without thinking.
  4. Request for confidential information:
    • The victim is asked to provide bank card details, SMS codes, passwords or transfer money to a "safe account". Sometimes the scammers use automated systems or fake voices to enhance the effect.

Examples of Vishing Scenarios​

  1. Bank personification:
    • The fraudster calls and reports "suspicious activity" on the account, asking to confirm card details or transfer money for "protection".
  2. Tech Support Scam:
    • The victim is informed about a "virus" on the computer and offered help for a fee, requiring card details for payment.
  3. Threat of arrest:
    • Fraudsters pose as tax officials or police officers, threatening arrest for "debts" if the victim does not transfer the money.

How to protect yourself from vishing?​

  1. Do not disclose confidential information:
    • Never give out bank card details, passwords or SMS codes over the phone. Banks and government agencies do not request such information.
  2. Check the caller:
    • If the call raises suspicion, call the organization back at the official number listed on their website.
  3. Don't give in to emotions:
    • Scammers often use fear or urgency. Take a moment to think about the situation.
  4. Use spam blocking apps:
    • Install apps that identify and block suspicious numbers.
  5. Record conversations:
    • Tell the caller that the conversation is being recorded. This may deter scammers.

What to do if you become a victim?​

  • Contact your bank immediately to block your card or account.
  • Report fraud.
  • Review your financial transactions and change your account passwords.

Vishing is a dangerous but preventable form of fraud. Being aware and careful can help you avoid being scammed.
 
Top