August 8, 2022
By Pavel Jiřík in Blog
2022 didn’t bring a decrease in the occurrence of cybercriminal attacks, unfortunately. Quite the opposite in fact. The latest Quarterly Threat Trends & Intelligence Report from Agari and PhishLabs shows that Vishing (voice phishing) cases increased by almost 550% between Q1 2021 and Q1 2022. Smishing (attacks via text messages), increased by over 700% in the first two quarters of 2021.
What’s worse, far too many people still can't recognize when a mail, call, or text message is coming from a fraudster rather than a genuine company. Especially since the criminals know just what to say to get people to act as they want.
So what can you do to protect yourself, your employees, and your business from criminals? Learn how Smishing and Vishing work so you can spot the signs that your team is under attack. And what better way to learn than by looking at some real-life examples of smishing and vishing attacks? Let's get to it, then.
What Is Smishing?
Smishing is a type of phishing attack, except that criminals use text messages instead of emails. The scammer sends an SMS message that appears to be from a trustworthy company.
Once opened, the recipient might read that something terrible is about to happen to their account. For example, their credit card is about to be blocked. Or the opposite - a message congratulating the recipient for being a sweepstakes winner or claiming that a gift is on the way to thank them for being a loyal client.
Each such message will also have a link included, clicking on which is supposedly necessary to "verify the suspicious charges on your account" or to receive the gift. Clicking on the link actually redirects to a website with a "verification" form asking for the recipient’s name, address, social security or ID number, and credit card details, for example.
Upon submission, all of this information will be passed on to the criminals. The website might also download malicious software onto the user's mobile, tracking everything that they do on that device afterward.
According to EarthWeb research, during one week alone in April this year, criminals sent 2,649,564,381 smishing messages. Why? Email spam filters keep getting better at recognizing potential phishing emails and marking them accordingly. More importantly, internet users are also getting more suspicious about clicking on any links included in such messages.
Mobile service providers, on the other hand, are still working on reliable text message filtering methods. Cybercriminals can be confident for now that their messages will be received. Text messages also have very high open and click-through rates (from 90% to 99%), and the vast majority are opened in the first 15 minutes. So, for a bulk attack, SMS is even more convenient than emails.
This is especially considering that finding a list of phone numbers to which scammers can send fake messages isn't the slightest problem. Besides attacking a company's main database, criminals also regularly use:
- Phone number lists sold online (mainly on the Darknet).
- Lists made by third-party numbers aggregators.
- Contests, lotteries, and sweepstake entries.
- Social media and website crawlers.
Sometimes, criminals can even find legitimate phone numbers in paper bins outside an office, for example, if the company isn't careful enough about destroying their documentation.
What Kinds of Smishing Text Messages Might You Get?
Once the criminals have a list of phone numbers to attack, what do they do next? Craft a story through which they will try to trick the recipient into sharing sensitive data.
For example, the scammer could pose as a bank representative and alert the victim that someone tried to take a loan in their name. Clicking on a link would apparently confirm or deny the loan application, but first, the recipient needs to share their bank details to "verify" that they are the actual customer.
Another common story is that the victim has won a voucher or gift bag from a well-known brand (either from a sweepstake/lottery or simply as a "thank you for being a loyal customer"). Of course, they need to confirm their details first through a link included in the message.
Basically, if there's any situation that fraudsters can use for an attack, they will. Whether it's offering "free" help with filing tax reports or governmental benefits paperwork or even gathering money supposedly for charities during natural disasters.
What Is Vishing?
Another widespread method of stealing confidential information is vishing (or voice phishing). This is when a fraudster calls their target posing as a bank operative, governmental department worker, healthcare company representative, or tech support agent, depending on the story.
Whatever role they play, the goal is the same - convincing the victim to behave as the criminal wants. As we have already mentioned, that could be providing access to a bank account or downloading malware onto a computer.
Vishing is an especially insidious cybercrime because the callers will often use threatening language to convince people that they could get in serious trouble if they don't follow the instructions (even including legal action or arrest).
Scammers just as often call companies pretending to be new or existing clients who need help with restoring "their" accounts or signing up for the latest offer. Sometimes they might even call on multiple occasions, pretending to be a different customer each time, and creating customer accounts under fake names and IDs to obtain phones or other devices for free.
For companies, such calls are especially problematic, as agents might not realize they have already talked with the same caller before or that the credentials they provide are fake. Using voice biometrics to identify people by their voice and spot suspicious callers can therefore be tremendously helpful when it comes to fighting back against telco fraudsters. We'll explain exactly how in a moment.
Why Has Vishing Become So Widespread in the Last Few Years?
For Smishing, just obtaining the phone numbers of potential victims is enough for the criminals to try and lure someone into a trap with a text message. What about the phone number from which the message is sent or call made, though?
With the technology they have now, criminals can unfortunately obtain as many numbers as they want. VoIP technology, for example, enables scammers to create multiple numbers with local prefixes (which people are far more likely to answer) or that look almost identical to those of actual companies or organizations.
Since those phone numbers are just as easy to discard as they are to create, tracking the fraudster behind such calls is an arduous task. Call-spoofing (using fake caller ID information to mask the true source of an incoming call) is also something that scammers regularly use to hide behind a seemingly legitimate Caller ID.
For example, criminals who want to steal a bank account or login details often use call spoofing to pretend they're calling from a local bank or well-known credit card company. After all, the victim is far more likely to answer a call if the ID says it's their bank or healthcare center than an "Unknown caller," right?
3 Examples of Typical Smishing and Vishing Attacks
Despite the fact that typical email phishing still accounts for the vast majority of all attacks, fraudulent calls and suspicious text messages are on the rise. And scammers are only becoming more and more ingenious, as the number of successful attacks can prove. Now that we got the theory out of the way, let's look at a few examples of voice and text message attacks in the last few years.
Covid Testing/Kits/Support Programs as Bait
"Never let a good crisis go to waste", as Winston Churchill supposedly once said. This motto can pretty much sum up cybercrime in a nutshell. Whether it's a natural disaster, a war breaking out, or a worldwide pandemic, you can be sure that fraudsters are going to use the situation to their own benefit.
In 2020, the Australian Cyber Security Centre had its hands full dealing with a wave of smishing text messages offering victims "guidelines" about when and where they could get tested for Covid-19. The messages, with "GOV" as the sender name, included a link to a website supposedly containing this information but instead downloaded malicious software onto the victim's device.
Meanwhile, in the US, nearly 60 million Americans lost money to text and phone scams in 2020, totaling about $30 billion overall. Fraudsters pretended to offer free covid testing kits and fill out documents for the Stimulus package or unemployment benefits, or even posed as charities collecting funds to help those affected by the pandemic.
A Cyber Scammer Jailed for COVID-19 Fraud
One of the con-artists who wanted to make use of this incredible opportunity to get rich fast is 21-year-old Teige Gallagher, sentenced in May 2021 to four years and three months in prison. One of his charges was posing as an NHS employee, coercing people into signing up for a fake vaccination program, and then cleaning out the victims' bank accounts.
Gallagher even created web pages based on the GOV.UK website, on which he asked the victims for their full names, addresses, bank accounts, and credit card numbers. The website also claimed that personal data was needed to verify whether or not the victims were eligible to receive the vaccine.
Gallagher wasn't only posing as from the NHS, though. At his home, police found several iPhones containing messages supposedly from various banks and Netflix. On one of the phones, police found more than 2,000 telephone numbers that were believed to be a list of victims who were sent scam SMS messages.
After arresting Gallagher, Detective Chief Inspector Gary Robinson, head of the unit at the Dedicated Card and Payment Crime Unit (DCPCU), said:
"Gallagher wrongfully thought he could get away with impersonating organizations and sending out scam text messages, including ones related to the COVID-19 vaccine to commit fraud. The DCPCU will continue to crack down on those seeking to exploit this pandemic to defraud the public, through close collaboration with the CPS, mobile phone companies, and the banking industry."
How Fraudsters Used AI to Mimic a CEO's Voice
Now for a story that is really hard to believe: in March 2019, the CEO of a UK energy provider received a phone call from someone who sounded exactly like his boss.
What’s more, the police were unable to find any suspects and eventually closed the case.
The caller posed as the chief executive of the firm's German parent company and urged the victim to send €220,000 ($243,000) to a "Hungarian supplier". This was so convincing (even having the same "slight German accent" as the victim's actual boss) that the CEO actually complied with the demands and transferred money to the "supplier's" account, which turned out to be the scammer's.
The fraudster attempted to make another call as the parent company's CEO, this time claiming that they had sent a reimbursement to the UK company and asking for a second transfer to be made. However, because no one knew anything about the reimbursement and the call came from an Austrian phone number, the victim became suspicious and reported the call.
Similar happened in Hong Kong: a bank manager, believing he was speaking to a director of another company, authorized a transfer of $35m for "acquisition costs". As the "CEO" claimed that he had hired a lawyer named Martin Zelner to coordinate the acquisition procedure and the person impersonating him had been in regular contact with the HK manager, the victim thought it was legitimate.
The Dubai Public Prosecution Office, which is investigating the case because it affected companies within that country as well, believes the scheme involved at least 17 people and the stolen money has been sent to accounts around the world.
Can Voice Biometrics Help Prevent Vishing Attacks?
Now, would it have been possible for the unfortunate UK CEO or bank manager in Hong Kong to find out there was a fraudster on the line before making the money transfer? Just by listening to the voice on the line that would be pretty unlikely, especially given that both fraudsters most likely used AI voice technology to mimic the voices of the respective directors.
What if both the UK company and the Hong Kong bank used voice biometrics to confirm the identity of the callers though? Then, most likely, the fraudsters would have been uncovered almost immediately, the moment they attempted to introduce themselves as someone else.
Modern voice biometrics verify a caller's identity based on a mathematical representation of the person's voice that is stored in a database. The voice sample (called a voiceprint) is a short recording of the user's voice, converted to a mathematical pattern and only readable by the biometrics platform.
By comparing each caller's voice to those in its database, the biometrics solution can automatically identify a suspicious caller simply by recognizing that their voice does not match the voiceprint of the person they are imitating.
What makes voice verification even harder for criminals to overcome is that even mimicking an accent or speaking a different language wouldn't be enough to fool the voice biometrics platform. That's because this verification method is based on hundreds of unique voice traits, and it will only confirm the caller's identity when their voice characteristics match the information stored in the database.
So while an AI-cloned voice might often be enough to trick someone into thinking they were talking with the person the caller claimed to be, it would be extremely hard for a fraudster to pass continuous voice biometric verification.
Voice biometric fraud detection solutions can also spot a caller who is pretending to be a new customer by simply comparing their voice to any of the recordings in the solution's database. If there's a match between the caller and an earlier recording belonging to a different customer account, the call will be marked as suspicious even if they use a different name, address, ID no., language, or accent.
In addition, because the voice check is performed in the background, it's unlikely that the fraudster will even realize that their cover has been blown. This gives agents time to notify management and the relevant authorities.
Considering how much success criminals have with voice phishing and text message scams, we can only expect that they will keep using such methods even more often. So how to not fall victim to those scams? For emails and SMS, the best way is simply to not click on any links in them before checking if the message really came from a bank or phone provider.
For dealing with vishers meanwhile, voice biometrics with fraud detection solutions can come in handy. These platforms can instantly alert a fraud team in a call center when someone attempts to impersonate an existing client or create multiple fraudulent customer accounts. With voice biometric solutions in place, companies can avoid the fate of the UK-based CEO or the Hong Kong manager.