Over the last day or so, I have been reading and even doing a little bit of research on other ways Cyber attackers can get to you. Remember, it’s not all Phishing and Ransomware attacks. Even your own voice can be used against you as well.
Although this is not a new form of attack, and in fact, it has even been around since the 1970’s. But the technology has evolved to the point where a hacker can place a call, take a recording of the victim’s voice, and synthesize it in such a way that it sounds very authentic and authoritative.
This is of course an effort used as a scare tactic in various ways in order for a victim to divulge out their personal and confidential information, or it can also be used in a Social Engineering attack. The misconception is that it is a real person that is calling. While this could be true, more than likely, it is a recorded voice that is reaching out to you.
In fact, this kind of Cyber-attack is officially known as “Voice Phishing”, or “Vishing” for short (the attacker is also known as the “Visher”). Loosely, it is called “Voice Fraud”. There are many ways in which a Vishing Attack can be launched, and the technology behind it is becoming much more sophisticated. It will take more than just one blog to describe it all! Here is how one form of a Vishing Attack could occur:
*The Cyber attacker accesses and configures a “War Dialer” in order to call a mass amount of numbers in a short period of time over a large geographic area;
*When the victim answers the call, a specialized software known as a “Speech to Text Synthesizer” is used to tell the victim that there is fraudulent activity in their banking or credit card account and thus are prompted to call a phony number;
*After the victim has called this specific number, they are then asked to enter their credit card number;
*Once it has been entered in, the “Visher” now has all the information they need in order to use that for making fraudulent purchases.
But as I said, the above scenario is just one form of a Vishing Attack. But no matter it is transpires, the damage that it can cost to both individuals is real. Just take a look at the infographic below:
Here is a summary of it:
*Voice Fraud (or Vishing) has increased by 350% just from 2013 to 2017;
*Between 2016 and 2017, Voice Fraud increased by almost 50% (this means that for every 638 calls placed by a Visher (or the Cyber attacker in this case), there was at least 1 victim that gave out their credit card number;
*Insurance companies have seen a 248% increase in Voice Fraud since 2015. This is actually a favored industry for the Visher, because once the victim is lured in, the payouts can be much greater. Typically, they often target Personal Pension Plans, 401k and Life Insurance policies.
*From 2014 to 2017, the banking industry has seen an increase of at least 269%, and the favored target here are that of credit unions. In fact, 50% of the fraudulent calls placed were done here domestically in the United States.
*Quite surprisingly, the credit card industry has only witnessed a small increase in Voice Fraud – only a 14% increase. The Visher often uses either the traditional landline phone or a VoIP based system in order to launch their attacks.
*Even more interesting, the brokerage industry saw the smallest increase of all of the industries that were polled – only a 4.5% overall increase.
My thoughts on this?
When I did some research into this, I was actually quite astounded. Probably the primary reason for this is that we really don’t hear too much about this kind of Cyber attack in the news – all we hear about are how many accounts were hacked into, and how many credit card numbers were stolen.
But just like a Ransomware attack, the Visher has an entire host of technologies that are available now to them at a low cost – included in this mix is even the use of Machine Learning, Artificial Intelligence, Voice Modification and Voice Synthesis software packages, etc.
But, the main catalyst that is fueling the growth for Vishing is the advent of the Internet of Things (IoT). In this, the end user’s voice is the prime mechanism that is used to in order to interlink devices together, coupled with the use of a Virtual Personal Assistant, such as that of Siri or Cortana.
But, to give you a head’s up, the latest Vishing Attack seems to be when the victim gets a phone call, and the caller simply does not answer, or if they do, they sound quite innocent and say: “Whoops, sorry, I think I have the wrong number”. In either case, you either keep saying repeatedly “Hello, Hello”, or “OK”, respectively.
Although this kind of conversation lasts only for a few seconds, there is enough there to capture a sample of your voice, manipulate it enough, and use that to launch a potential Vishing Attack. In fact, I keep getting these kinds of calls myself as well. So, what can one do to avoid becoming a victim of a Vishing Attack? The FCC has the following recommendations:
*Do not answer calls from unfamiliar numbers. Just let it go to voice mail. However, this is easier said that done, especially for a job seeker, like me, where I get calls all the time from numbers I am not familiar with, but these are legitimate calls from recruiters.
*If you answer a call, and it prompts you to enter to hit a button, hang up immediately.
*If you think you have received a scam call, contact local authorities and also the FCC.
*Try to get a Robocall blocking device from your wireless carrier, or even easier, simply register your telephone number on the “Do Not Call List”.
*Never answer a phone call when the caller is identified as “Unknown” or “No Caller ID” on your Smartphone – just let it go to your voice mail. In fact, even I get this kind of call everyday from the same person. What do I do? Just let it go to voice mail, and then later delete it. I figure they will get tired of calling my number eventually.
Finally, as mentioned, I will keep writing more about Vishing as I read about it. But keep in mind one important point as well – Voice Fraud is not be to be confused with Voice Recognition. The latter is a Biometric Technology which is used as a means to confirm your identity. More about this in a later blog.