Identity theft is an attack on data protection, in which the victim reveals their personal data after biting the bait. Not very different from ‘fishing’! Identity theft via VoIP is becoming so common that it has been assigned a special term: vishing.

How does identity theft work?

Identity theft today is a type of attack that is becoming popular and is an easier way for data thieves to get what they want. Identity theft works like this: a data thief sends you an email or voicemail so it looks like it’s an official message from a company you have financial or other interests with, such as your bank, PayPal, eBay, and so on. The hacker informs you of a problem that alerts you and requires you to go to a website or phone number where you must provide your personal information such as credit card number, passwords, etc. Some users are so easily attracted to it that attackers trick them into giving their credit card number, expiration date and security code – and the attacker use them for transactions using a credit card or cloned credit card. It can be devastating.

Examples of attacks

Here are examples of ways you can be attacked if you are a target for identity theft:

  1. You receive an email from PayPal, eBay, or their companies, notifying you of any irregularities on your part and stating that your account has been frozen. You are told that the only way to release the account is to go to a specific link and provide your password and other personal information.
  2. You receive a voicemail from your internet banking department, saying that someone tried to access your password without authorization and that something needs to be done quickly to save your account. You are required to call a specific number and provide your credentials so that you can change your existing account credentials.
  3. You receive a phone call from your bank stating that they have noticed some suspicious or fraudulent activity in your bank account and are asking you to call back and/or give your bank account number, credit card number, etc.

VoIP and identity theft

Vishing is one of the methods of social engineering based on the misuse of VoIP technology. It allows the transmission of voice messages over the Internet. Companies that provide VoIP services are commonly referred to as providers, and the protocols used to transmit audio over an IP network are called VoIP (Voice over IP) protocols. The use of a computer network transmits sound (voice) and data. The cost of providing telephone services is significantly reduced compared to the landline, and telephone calls from one VoIP phone to another are sometimes free. VoIP protocols transmit a telephone signal as a compressed digital audio recording encapsulated in a data stream transmitted over an IP protocol. The term vishing is obtained by a combination of the terms voice and phishing.

Before VoIP became popular, phishing attacks were made through spam emails and PSTN landlines. Since the advent of VoIP in many homes and businesses, phishers have turned to phone calls, making people more accessible because everyone doesn’t use emails as often as phones. The question arises as to why phishers did not use the phone using PSTN before VoIP. PSTN is perhaps the most secure modern mode of telecommunications and the most secure network and infrastructure. VoIP is more vulnerable than PSTN.

How VoIP makes phoning easier

  • Identity theft makes it easier for attackers who use VoIP for the following reasons:
  • VoIP is cheaper than PSTN and is now very widely available.
  • With VoIP, attackers can reset the caller ID that appears to users and display it as if they had been contacted by their bank or any other trusted organization.
  • VoIP software for PBXs, like the very popular open-source Asterisk, gives the developer so much power that now people with minimal skills can achieve what only programmers could have. Any developer with a basic knowledge of VoIP can manipulate its implementation and create a bank of fake numbers that they can use to raise their victims without compromising their own identity.
  • VoIP hardware, such as IP phones, ATAs, routers, IP-PBXs, has become affordable and the software that accompanies them are more user-friendly, making the task easier for manipulators. These devices are also very portable and can be taken anywhere.
  • VoIP hardware and its easy connection to computers and other computer systems (such as voicemail) make it easy to record phone calls from a number of victims who are hooked.
  • Unlike PSTN, VoIP numbers can be set up and destroyed within minutes, making it almost impossible for authorities to track attackers.
  • With VoIP, visitors can send one message to thousands of recipients in one go, instead of having to enter one number for each call to the Viking.
  • Using VoIP attackers can create a virtual number for each country. They can then use the local number and forward calls abroad, emulating popular financial institutions in Europe or the US.

Examples of attacks

An attacker can use various means to launch a vishing attack, each of which is specific to a particular object of attack. The primary methods of delivering and leading users to open specially designed messages are:

  • Sending e-mails,
  • Sending SMS messages,
  • Use of voicemail and
  • Making phone calls

It should be noted that fax services are not yet available in the VoIP environment. However, their integration is expected soon, which will lead to integration into attack methods. Then the attackers will surely devise methods of performing phishing attacks using fax machines.

How to protect yourself from vishing?

The best way to protect yourself from a vishing attack is to know what to spot from the call. Warning signs are always there, you just need to know them and you will be safe. Regardless of the method used, the goals are similar and the perpetrators will always strive to achieve them. Here are some guidelines to look for when identifying vishing fraud:

The caller, on the other hand, claims to be a representative of the IRS, Medicare, or law enforcement agent. Federal agencies never call people unless they ask them to. Also, they will never use social media channels, emails or text messaging forums to start a contact. So, if someone calls you and claims they are a representative of such agencies, be sceptical and give up the call. Use the publicly listed number to confirm this call. There is always a sense of urgency. One of the biggest indications about vishing is that they try to scare or threaten you so you can act unreasonably. When you receive such calls, be calm and composed, do not feel pressure or threat to act immediately and give in to their demands. Tell them you will go to their offices to solve the problem. Do not give any information, end the connection and investigate more. If possible, report it to the company's fraud department.

Fraudsters are always looking for your personal information. The caller requests personal information as a verification process. Data collected include SSN, date of birth, physical address, full name, bank details, etc. This information can then be used to commit fraud or steal your money.

How to defend yourself from Vishing?

In addition to gaining knowledge about how vishing works, you can apply the following tips to protect yourself from such attacks:

  • Add your phone number to the National registry. This will alert telemarketers not to call you for promotional reasons. Even if some companies keep calling, it will reduce promotional calls, so you will be also less prone to attackers.
  • Do not answer unknown calls. Let the phone call go to voicemail, then listen to it and decide to call the person after thoroughly researching.
  • If you do not feel well, end the call. To resume a polite conversation, hang up and block the number.
  • Ignore the instructions and avoid pressing any buttons. Do not follow automated messages that give instructions for pressing numbers in response to questions asked.
  • Request caller ID and confirm. If you have a callback number, check it with publicly listed business numbers. Then call the company in question and ask for the representative who called you.
  • It is necessary to learn how to protect yourself from vishing. The attackers are skilled and will do anything to deceive you into thinking they are legitimate. However, keep the above tips in mind and never give out your information over the phone. Since vishing is only part of a wide range of identity theft, it is important to protect your system from network attacks using reliable security software to protect against malware.