Vishing – a persistent type of Voice Phishing

December 8, 2016
vishing-arm izoologic

Vishing, a term that relates to “Voice – Phishing” is a type of social engineering attack that has a high degree of variety.  Vishing takes the form of a criminal using a telephone to make a social engineering attempt against the victim to conduct fraud.

Vishing maybe as simple as criminal A – speaking to victim B and asking for personal information.

Vishing is problematic to proactively detect as the call originates from part A – and there is often a lack of distinguishing factor identify the rogue call source until part B, the victim, has reported the Vishing attempt.

Vishing can have a very targeted nature similar with spear phishing attacks. Vishing targeting specific individuals within the organization may attempt to glean sensitive information that can be used in other future attacks. For example, the criminals may pose as an internal IT helpdesk person to foster trust and glean access credentials to the corporate network systems.

Vishing response can be identifying the source number/host and shutting this down, or blocking numbers at the ISP/telco level, or shutting down the compromised the VOIP server.

Another example of Vishing that is becoming more common is where the fraudulent telephone call is originating from pay as go mobile phone numbers which are purchased with fake details, or no personal details in some countries, or from compromised Skype / Whatsapp accounts.

As you can see the Voice Phishing is very problematic issue and can have a high degree of polity.


A more sophisticated form of vishing may also take the form of an auto dialer, automatically calling victims, and an automate message where the victim is asked to enter in account numbers/PINs or credit card details.

It is commonplace for the criminal to mask their source number. The criminal may leverage a compromised VOIP server to host the automated dialing / messaging software. Often criminals will use a US based VOIP server that has been compromised to host the auto dialer, automated messaging software, or at least for the end user criminal to route their call to hide their identity.

About the author

Leave a Reply