Kroll has observed an increase in two social engineering tactics known as “vishing” and “smishing.” These tactics use phone calls, voice altering software, text messages and other tools to try to defraud unsuspecting people of valuable personal information such as passwords and bank account details for financial gain. These types of attacks use similar techniques to the common infection vector, phishing.
In Q1 2022, Kroll reported a 54% increase in phishing attacks, demonstrating the perennial value of social engineering attacks as a valid technique for threat actors. As organizations and end users become more adept at identifying and filtering out suspicious emails, and with easier access to voice emulation APIs, threat actors are pivoting to text messages or voice calls as an easier way to contact a potential victim.
What is Vishing/Smishing?
Voice phishing, or vishing, is a tactic where a threat actor utilizes phone calls to trick victims into providing sensitive, personal information by posing as their bank or other trusted organizations as opposed to scam emails that are sent out in phishing campaigns. The same idea goes for smishing except the messages are sent out as scam SMS texts or via various messaging apps, such as WeChat, WhatsApp, Facebook Messenger and many others. In both instances, threat actors will look to build a rapport with their victim in order to encourage or coerce them into sharing sensitive details.
Legitimate services like Voice Over IP (VoIP) may be used by threat actors to conduct such schemes. The use of VoIP makes it easier for actors to create fake numbers that are nearly impossible to track. In some instances, services may have capabilities to allow actors to create numbers local to the victim’s location to make them look more realistic. Actors may also use a method known as Caller ID Spoofing to display a number or identity of an individual or organization that the user already knows and trusts.
Smishing attacks have been growing in recent years, and they were reported in 74% of companies in 2021, an increase from the 61% experienced in 2020.
At the start, smishing attacks were seen impersonating banks and financial services, but more recently, hackers have changed to impersonating package delivery services. Hackers who are making smishing attempts will try to convince their target they are a recognized business. Kroll has recently observed a trend where smishing is used to impersonate CEOs at various organizations. Once a victim is engaged, they are asked to send gift cards to threat actors or carry out fraudulent transactions.
Figure 1: Examples of Smishing
Vishing attacks have also increased in 2022, and have been on the rise in recent years. These attacks were seen in 69% of companies in 2021, which has risen from the 54% experienced in 2020. Vishing attacks have been reoccurring as job scams and tech support scams. A caller will be impersonating a well-known company usually as a pre-recorded message. In calls that are not pre-recorded, a threat actor may appear as if they want to help while repeating themselves and pushing for personal information such as an account number or credit card details. For example, a threat actor may claim there is a potential fraudulent charge in a person’s bank account and ask for passwords or account numbers from there. In 2022, vishing cases have become more frequent, with these occurring more than one-in-four times out of all types of response-based threats.
Example Case Study - Smishing
Kroll was engaged for an incident where an individual with supervisory duties was targeted by an actor via smishing attacks. The threat actor posed as the CEO by sending messages that spoofed his phone number to an employee of the organization. The messages instructed the employee to move their chat away from text messages to an encrypted chat platform, such as WeChat/WhatsApp. Once the conversation had moved to a different application, the threat actor, still posing as the CEO, instructed the employee to make two large money transfers into an account controlled by the threat actor. Kroll examined the phone used by the victim of the smishing attack. During the examination, Kroll identified the applications used to communicate with the victim, which led to the identification of additional communication via email that related to the actual money transfers to the actor. As a result, Kroll was able to determine the initial point of communication between the actor and the victim and establish a timeline of events for the victim organization. Kroll then provided the timeline of events to the client so they could explore avenues of fund retrieval.
There are common patterns that threat actors use during a vishing or smishing attempt. Our experts have compiled a few important indicators to look out for in order to avoid falling victim to one of these schemes:
Threat actors attempting to coerce a victim into sharing personal information will use pressure tactics or create a sense of urgency. Whether for time-sensitive details or the need to solve pressing problems, a caller will look to confuse or overwhelm a victim into providing the desired information. Our experts have noticed that threat actors will threaten financial retribution from the IRS along with an arrest warrant if the supposed fees have not been paid by a certain date.
- Request for Personal Information
More often than not, a legitimate request from a reputable organization will not ask for any type of sensitive or personal information, particularly when it is unexpected or out of the blue. Although, this can be difficult to ascertain, it tends to be a sign of vishing.
- Access to Computers
Be wary of a caller requesting remote access to your computer. This is not a typical request for an organization and can be indicative of a vishing attempt.
- Claims About Their Organizations
In these attempts, hackers will make claims from reputable organizations, such as a bank, store, phone company or a delivery company that they are missing information such as a credit card number or account number from a bill or receipt.
- Use of Voice Synthesizers
Threat actors often use voice synthesizing applications to disguise their identity when contacting a victim. Be wary if the voice on the other end of a suspicious call sounds distorted, as it is likely a scammer.
Our resident expert, Josh Hickman, recommends that organizations provide training to their employees to educate them on how to spot and avoid a vishing or smishing attempt. These trainings should inform employees to:
- Stay alert when receiving texts or phone calls from a random number
- Check phone numbers from the actual store, bank or delivery website. In addition, verify a suspicious caller by hanging up and calling a number from the website of the supposed organization.
- Don’t click any links from texts you randomly receive
- Take any questions or concerns you have about any orders or deliveries you made to the phone number from the company website or from the confirmation email you received after placing your order
Ensuring the safety of your sensitive, personal information is crucial, and knowing what information to share and who to share it with can prevent you from falling victim to a social engineering attack. Threat actors continue to evolve their tactics in order to trick unsuspecting victims, so it’s important to stay vigilant and safeguard your information. For further guidance, contact one of our Kroll experts at one of our 24x7 cyber incident response hotlines or connect with us through our Contact Us page.
The article above was extracted from The Monitor newsletter, a monthly digest of Kroll’s global cyber risk case intake. The Monitor also includes an analysis of the month’s most popular threat types investigated by our cyber experts. Subscription is available below.