Anatomy of a Vishing Attack: Technical Indicators IT Managers Need to Track

If your organization hasn’t encountered a vishing attack yet, it’s probably only a matter of time. Vishing, or voice phishing, is a sophisticated type of social engineering that adds a whole new dimension to common scams. Rather than emails or text messages, threat actors employ phone calls or online voice calls to carry out vishing schemes. Particularly savvy attackers can even copy a real person’s voice to deceive, coerce, or manipulate potential victims.

The rise of generative AI (genAI) through large language models (LLMs) has made voice cloning scams more accessible than ever. Instead of poring over audio engineering software, threat actors can now create realistic voice clips from a single recorded sentence or a few isolated words.

Countermeasures for vishing vs. phishing scams both rely on employee training, but you’ll also need to analyze incoming calls, screen out potential threats, and limit how much information a worker’s voice can unlock. 

What is a vishing attack?

What is vishing? Broadly speaking, vishing is simply a phishing attempt that uses a person’s voice rather than text. To clarify a few similar terms:

• Phishing is when a threat actor sends fraudulent messages while pretending to be a reputable entity, such as a friend, coworker, bank, web host, or government agency. These messages attempt to extract sensitive data, including usernames, passwords, and financial information from the victim.
• Vishing is a form of phishing that uses phone calls or online voice calls rather than written messages. (“Vishing” is short for “voice phishing.”) Threat actors can also use voice cloning technology to sound just like someone the victim knows.
• Smishing, or SMS phishing, is social engineering that takes place via text messages rather than emails. While smishing and vishing both target smartphones, the former is text-based while the latter is voice-based.

A typical vishing attack mirrors the stages in the modern kill chain:

• Reconnaissance: A threat actor researches the potential victim, gathering data from websites, social media, and past data breaches.
• Weaponization: Using genAI and available voice clips, the attacker creates a voice clone of someone the victim trusts. A copied voice isn’t strictly necessary for vishing, but it helps overcome doubt much faster than the threat actor’s own voice. 
• Delivery: Using prerecorded clips, an AI voice clone, and/or a spoofed phone number, the threat actor contacts the victim and runs the scam. They will usually ask for compromising login or financial details.
• Exploitation: With the stolen information, the attacker can gain access to sensitive data on a private network, the victim’s bank account, an avenue to spread malware, or whatever else they might be after.

How to defend against vishing attacks

Now that you have a working vishing definition, you can take proactive measures to safeguard your data:

1. Analyze VoIP logs

If your business uses Voice over Internet Protocol (VoIP) phones instead of landlines, you should have access to a wealth of VoIP logs, which can tell you who called your organization, who picked up the phone, how long they spoke for, and the exact date and time of each interaction.

To help spot potential vishing attempts, keep an eye out for:

• Unknown callers
• Calls from area codes where you don’t usually do business
• The same numbers calling multiple employees
• Especially short conversations, which may just be checking to see if there’s a live person on your end
• Especially long conversations, which may indicate an employee has fallen for a vishing scheme
• Frequent calls outside of normal business hours

If you see unusual patterns, ask your workers whether they have any reason to suspect that the calls were suspicious. You can also block numbers if you’re sure that there’s a threat actor at the other end.

2. Implement call screening

When you receive a phone call, you’ll usually see the number of the person calling. Most mobile devices and VoIP phones can also cross-reference this number with a central database to determine the caller’s name or the name of their business. Over the past few years, mobile providers have developed sophisticated tools for screening out potential spam and scam calls.

Call screening comes in a variety of different forms, depending on which software you use. Some tools warn users about suspected spam calls, while others block suspicious numbers outright. Some apps even use AI assistants to screen any call that doesn’t come from a trusted contact. Unless the caller states their name and purpose, the AI assistant may just hang up on them. Vishing attempts become less likely when a potential victim knows not to pick up the phone.

Your call screening options will vary depending on which mobile devices your employees use and whether you want to invest in third-party apps. Both Android and iOS have built-in spam and scam call protection. 

3. Invest in EDR for mobile devices

Smartphones are prime vectors for vishing attacks. Unlike office computers, mobile devices:

• Are almost always within easy reach
• Encourage instantaneous communication
• May not have fully updated software or firmware
• Could be BYOD hardware that organizations don’t directly control

One way to mitigate vishing attacks on mobile devices is to invest in a mobile endpoint detection and response (EDR) solution. EDR tools constantly monitor mobile devices for suspicious behavior and common threats, including misleading links and malware. While an EDR can’t stop an employee from giving away sensitive information in a voice call, it can stop them from falling for a shady follow-up email or text.  

4. Use alphanumeric MFA

Multi-factor authentication (MFA) is a simple and powerful cybersecurity tool that your organization has probably implemented already. However, some types of MFA are more resistant to a vishing scam than others. Some financial institutions, mobile service providers, and software companies now use voice authentication as a way to prove your identity. With the proliferation of voice cloning LLMs, this method is less secure than it used to be. 

When setting up login systems, give preference to alphanumeric usernames, passwords, and MFA codes. If your employees receive their MFA codes via app rather than SMS, that’s yet another layer of security between them and a potential cyber attack.

5. Train employees to spot vishing attempts

Vishing can be difficult to detect, especially if a threat actor has created a convincing voice clone. Still, vishing is still a form of phishing, and phishing schemes tend to fall back on a few predictable tactics:

• The threat actor needs information ASAP
• Something bad will happen if the victim doesn’t provide the information
• Details about who needs the information and why are a bit hazy

A vishing attack, especially with a voice clone, has a few other hallmarks to listen for:

• Unnatural pauses before replies as the threat actor converts text to speech
• Stilted delivery, mispronounced words, or lack of verbal punctuation

Hold workshops for your employees where you go over this information. You can also test them to see whether they can recognize voice clones or simulated vishing messages. Make sure your staff also has a simple method for reporting real vishing attempts to the IT or security team.

Protect your mobile devices from vishing

Mobile devices are indispensable tools at work, but they’re especially prone to vishing attack tactics, and your IT team won’t always be within earshot of a potentially dangerous conversation. That’s where The Mobile EDR Playbook: Key Questions for Protecting Your Data can be a valuable tool. This Lookout resource poses four questions to help you gauge the state of your organization's mobile cybersecurity. The playbook also explains how an EDR solution