Well-known US cybercrime journalist Brian Krebs recently published a warning about vishing attacks against business users.
The FBI promptly followed up on Krebs’s article with a warning of its own, dramatically entitled Cyber criminals take advantage of increased telework through vishing campaign.
So, what is vishing?
And how does it differ from phishing, something that most of us see far to much of?
The V in vishing stands for voice, and it’s a way of referring to scams that arrive by telephone in the form of voice calls, rather than as electronic messages.
Of course, many of us use voicemail systems that automatically answer and record messages when we aren’t able or willing to take a call in person, and many modern voicemail systems can be programmed to package up their recordings and deliver them as email attachments or as web links.
So the boundary between voice calls and electronic messages is rather blurred these days.
Nevertheless, many of still routinely pick up calls in person when we can – especially those of us who run a business, or who have family members we’re supporting through coronavirus lockdown or who aren’t well and might need urgent help.
We know several people who keep a landline especially as a contact point for family and friends.
They give out their landline number sparingly on what you might call a “need-to-know” basis, and use their mobile number – which is comparatively easy to change if needed, and easy to monitor and filter using a suitable app – for day-to-day purposes where giving out a working number can’t easily be avoided.
As you can imagine, however, the crooks only need to uncover your phone number once, perhaps via a data breach, and they can call it forever, especially if it’s a landline that you’re keeping because people who are important to you know it and rely on it.
Semi-targeted phone attacks
The crooks don’t even need to know any details behind your number to abuse it, in the same way that they don’t need to know your full name, where you live or what you do for a living in order to spam and scam you by email.
Obviously, the more an attacker knows about you, the more they can tailor their scams – or target them, in the military jargon that’s become trendy in the cybersecurity field.
Even being able to say “Hello Your Real Name” instead of “Dear Customer” makes a message more believable, and including personal information can make a spam or scam more convincing still.
That’s why porn scammers, also known as sextortionists, who email to demand money for “suppressing” a prurient video of you (one that they don’t have because it doesn’t exist), include personal data in the message, such as your phone number or an old password.
They do this as a way of “proving” that they really did hack your computer, even though they almost certainly acquired the data from an ancient data breach.
Vishing scams, however, just like smishing scams (phishing via SMS), can sound realistic even if the crooks can do no better than guess at your online life.
Unlike emails, SMSes and voice messages – especially automated ones that use a synthetic voice and don’t need to be interactive – can get away with being stripped to the basics.
SMSes are limited to 160 characters, while voice messages are limited by the fact that about 30 seconds is the longest that people are likely to listen with any sort of attention to a recorded warning – and that is enough time for just 60 words dictated with any clarity.
And by picking a popular and widely-used service as the theme of the scam – such as a well-known global home delivery brand, or email provider, or payment processor, the crooks have a good chance of guessing correctly for a significant minoirity, perhaps even an absolute majority, of recipients.
Vishing at home
60 words or so turns out to be more than enough to create a believable bait, especially when it’s a voice message that lacks the permanence of an email or an SMS.
And, in the UK at least, there seems to have been a recent surge in home delivery vishing campaigns.
We can’t tell whether this is just one group of crooks who are focusing on both vishing and the UK at the moment, or if it’s a broader global trend, but we (and people we know in the UK) are experiencing unwanted vishing calls at a much greater rate than any time in the past few years.
We’re not talking about interactive scams here, like those fake technical support calls where a crook with the gift of the gab call up out of the blue to pester, lie, cheats and frighten you about made-up malware on your computer in order to talk you into buying a fraudulent “cleanup service” that you didn’t need in the first place.
This new wave of calls are automated, using voice synthesis to “speak” with diction and an accent that is nearly, but not quite, as good as Siri, and they seem to follow a shorter and much crisper script than similar scams we’re aware of from he past couple of years.
Most older recordings we’ve heard have English text with poor wording and grammar that was either synthetically generated by poor-quality voice software or dictated by someone reading inexpertly from a printed script.
But this latest batch sounds much more believable, following scripts roughly along these lines (we don’t have recordings, so these are paraphrased from various Naked Security readers’ memory):
Your Amazon order for [several hundred pounds ending in -99] has now been processed. Your [phone product] will soon be dispatched and you should receive it in [a small number] of days. For further information or to cancel the order, press 1 now to speak to an operator.
Your Amazon Prime subscription will auto-renew. Your card will be billed for [several tens of pounds ending in -.99]. To cancel your subscription or to discuss this renewal, press 1 now.
One of our readers pressed 1 to see what would happen (we don’t recommend doing this, simply because the only thing you can be certain of is that you will be talking to an out-and-out criminal who knows your phone number and perhaps even where you live).
As you can probably imagine, the reader ended up talking to a real human in what sounded like a boiler-room call centre, just as you would if you were called directly by one of those technical support scammers claiming to be from Microsoft or your internet provider.
Why it works
The sad things about this sort of scam are:
- The crooks use internet telephony (VoiP), so they pay close to zero for the calls.
- The calls emerge into the landline or mobile network inside your country, so they often show up with a believable local number.
- Synthetic voice calls are widely used by legitimate businesses these days, so they are no longer a telltale sign that the call is suspicious.
- The call centre crooks only ever deal with “already active” callers who have pressed
1, making their scamming process more efficient. - The calls are hard to avoid, especially if they arrive on a line that you keep primarily for family emergencies.
- The incoming call numbers change all the time, so that adding them to your phone’s blocklist, if it has one, doesn’t help much.
- Reporting them feels like a waste of time, because the callers are almost certainly outside the jurisdiction of your own telecommunications regulator.
What to do?
Unfortunately, this is one of those cybercrimes for which we don’t have a good set of “this will fix the problem” answers.
Some people find that running all their calls through voicemail acts as a filter and stops the calls being intrusive, but if it’s a landline you rely on for the timely report of family emergencies then you still need to let the phone ring aloud to alert you to the call, and you may not know what incoming numbers to expect anyway.
(If your emergencies include possible calls from healthcare workers or hospitals, you will often find that those people and organisations withold their numbers to cut down on nuisance replies or to protect the privacy of the workers involved.)
Reporting unwanted phone calls can be somewhere between impossible, if the number is witheld and very hard, depending on your country.
For example, in the UK there is – rather annoyingly – a different procedure for reporting scam calls, which is where someone calls you up and talks a load of lies or unwanted junk into your ear, and abandoned or silent calls (“hangups”), which is where the caller cuts the connection before a human comes on the line at their end.
Calls where the other end doesn’t say a word, either through an unnerving silence or by using an automated voice only, are understandably considered creepier and therefore criminally more serious than viva voce, in-your-ear dishonesty, and are therefore regulated differently.
In the former case, in our experience trying to report rogue callers in the UK in the past, you can make your report anonymously; in the latter, the process is more complicated and you have to say who you are, presumably because scam calls are a regulatory issue but abandoned and silent calls may be a criminal offence.
So, if you can recover the caller’s number and are willing to report it, we encourage you do to so.
But we accept that this may be too much effort, or require too much personal involvement, for some people in some countries, so we’re not going any further than encouragement here.
All we can advise as a matter of routine is the rythmic and easily-rememered ditty that the Australian cybersecurity industry came up with many years ago as a way of thinking about how you deal with spammers and online charlatans: Don’t try. Don’t buy. Don’t reply.
Don’t let yourself get sucked, surprised or seduced into taking any direct action – not even if you think it might be amusing to see who’s at the other end – after all, you’re talking to a crook, so the best thing that can happen to you is nothing.
If you are worried about a fraudulent transaction, whether it’s via Amazon or any other coronavirus-friendly online merchant, login to your account yourself, or call the company’s helpine yourself, using contact information you already have.
Never rely on information provided inside an email, or read out to you in a call, as a way of deciding whether to believe the email or the call.
After all, if the call or email is true, the reply you will receive will be truthful and will say, “It’s true.”
But if the call or email is false, the reply you will receive will be a lie, and will also say, “It’s true”!
Phil Ruffin
I have a Google Pixel, and use the Google voice screening service on most numbers I don’t recognize.
That means the caller (or the machine) hears a “voice” answering the call.
Does that make it more or less likely that the caller will continue to bug me?
Paul Ducklin
I think the answer is, “It depends.” It’s hard to research how each group of crooks behave given that all you can do is collect behavioural reports and then infer how they program their callerbots.
For example, it’s pretty easy to do some, any or all of these:
* Answer, no noise detected, assume no one there, drop call.
* Answer, speaking detected, short burst, assume “Hello”, play live listener version. (E.g. Press 1 only, don’t leave a number for callback.)
* Answer, longer speaking detect, assume voicemail/answering machine, play voicemail version. (E.g. only leave a number for callback.)
* Answer, no noise detected, play it both ways and use a message with Press 1 and a callback number.
Or:
* Don’t care, just wait N seconds and say the message.
AFAIK, call screening doesn’t stop you receiving the call – and you can argue that for a 30-second Amazon scam, it’s just as easy to answer yourself directly and hang up. (Of course, call screening will probably discard some of these fake calls because they won’t respond to the call screening service in a way that triggers the call to be passed on… so it’s certainly worth a try if you don’t find it too intrusive for real calls.)
The problem here isn’t so much for mobile calls where your mobile provider probably has all sort of screening systems, but where you have a number that you treat as important when it rings, so you want to answer in person if you can, and where even if you have CLI display (Caller ID in North America, although calling line identification is a better name IMO) you can’t rely on seeing a number you know.
(Anyone with family members living remotely and in poor health will know the feeling. It might be the hospital, or a paramedic, or a social worker, or a concerned neighbour who just got a new phone. Sometimes you feel you need to answer directly in person if you can, just in case it’s a vital call and something goes wrong if you don’t simply pick up and say a clear and simple “Hello”. I don’t have an answer to that conundrum.)
Andi Bradley
Thankfully, my landline now gives me the caller’s number, so if I recognise it I answer the phone. About the only people who regularly ring my landline are my Brother and Mother. Any other unrecognised numbers calling on the landline the answer phone picks them up. Surprisingly the Amazon type calls have stopped.
My take on this is, if it’s important, they’ll leave a message.
I don’t answer unknown numbers on my mobile.
Outside The Marginals
How far are we from being able to set up “call channels”, so if, say, a relative goes into hospital, we could easily (at the nursing station) set up a verifiable “channel” between the hospital’s outgoing number and our number, so that when a verified call from the hospital’s number to our number comes through, (1) it passes filters, and (2) it rings with a different ring tone?
Some may say CLI already does this for you, but given how it can be spoofed, I am thinking something more robust, possibly based on key exchange in the way that encrypted mail is both secure and verifiable.
Robbie Roth
I answered a call and pressed 1. Last year, I played along till he thought I was on my laptop. About to key on some. personal information, I then said are you in India as he was indian, he wouldn’t say, I then said I knew he was a scammer and what he was trying to do, but I also knew how hard it can be to make a living etc in India, he said he wasn’t a f ing fraud and to ld me I was a “mother f ing whore…….. I was shocked as I’d never heard any Indian person swear… He got very angry called it me again and hung up
Keith Roberts
I’ve noticed my landline has rung a few time and when I picked up the phone there was no one at the other end. I’m wondering if this is an automated call generated by some sort of software to ‘ping’ random phone numbers to see if there is anyone at the other end. Having picked up the phone it then makes a note that my number is a valid target for the scammers to call again manually later on.
Fast forward to Wed 20 Jan 2021.
I get a call supposedly from Amazon telling me I have been charged £79.99 for a years renewal of Amazon Prime. This got my heart racing and sounded quite genuine, as I have used the Prime free trials before and then cancelled them before the subscription billing period started.
So they asked me if I wanted to cancel the subscription and I told them ‘yes’ and the lady said she would put me through to the right department to help me cancel it.
Next thing I know I talking to a guy called David with an Indian accent in what sounds like a very echoey and busy call centre. So I thought I’d play along and see where this was leading to.
‘David’ asked me to type www.anydesk.com into my browser address bar.
So I typed it into a text file for later reference.
Then I ‘accidently’ cut off the phone line.
About 5 minutes later he called back again and I told him, “Thanks very much for your help, but I have decided not to cancel my Amazon Prime subscription now.”
He sounded soooo disappointed and put the phone down – hahaha.
I forgot to tell him I’m a Linux System Admin with a keen interest in cyber security!
I wish I had recorded it now and I could have put it here on the NS blog!
Keith Roberts
BTW: the phone numbers I got when doing 1471 were:
+1 408 [REDACTED SAN JOSE AREA]
+1 408 [REDACTED SAN JOSE AREA]
https://www.actionfraud.police.uk/alert/scammers-target-people-with-amazon-prime-scam
Keith Roberts
Got something else similar today. One of these automated calls supposedly from my ISP telling me my internet service is going to be disconnected in the next 24-48 hours due to illegal activity:
[LINK REDACTED]
I just put the phone down again.
Doing 1471 for each call I got the following numbers:
[CORNWALL, UK LANDLINE NUMBER REDACTED]
[SHIFFIELD, UK LANDLINE NUMBER REDACTED]
So I think I’ll leave the answer machine on to hear who calls me before picking up the phone. Any genuine caller would leave a message if it’s important enough.
I phoned my ISP’s number and warned them about this scam.