Vishing, the electronic fraud that uses AI to imitate voices

Many training and awareness programmes are still reactive, only being implemented after an incident has occurred. The ideal approach is to adopt a proactive strategy.

The constant evolution of cyber threats has given rise to more sophisticated cyber attacks, modernising traditional methods and adapting them to the new tools of the digital age. Vishing, or Voice Phishing, is a clear example of this modernisation, using phone calls to imitate the voices of people the victim knows and deceive them.

This type of attack poses a critical challenge in today's cybersecurity landscape, especially in sectors that deal with sensitive data, such as finance. Despite technological advances in system protection, the human factor remains the weakest link in security, due to a lack of knowledge or negligence in good cybersecurity practices, and the growing sophistication of social engineering attacks. Vishing exploits this vulnerability through psychological manipulation, tricking victims into sharing confidential information.

Relevant cases and the evolution of vishing tactics

In 2023, the cybercriminal group Scattered Spider carried out one of the largest social engineering attacks in the US and the UK, targeting employees from various organisations across multiple sectors. This attack used text messages that pretended to be from the organisations' IT departments, threatening to deactivate accounts if specific instructions were not followed, such as clicking on malicious links, exploiting both technical and human vulnerabilities.

With technological advances, attackers now have access to new tools, such as artificial intelligence, which facilitates the creation of extremely realistic voices. This technology makes fraud more credible and dangerous, enabling dramatic scenarios that require immediate action, such as sharing passwords or sensitive data.

The most common targets are usually older people, who may be less familiar with digital technologies, new employees, who are still adapting to the organisation's procedures, technical support professionals who are often responsible for dealing with critical systems, and senior managers who handle confidential information.

The human factor as a vulnerability

Despite technological advances in system protection, the human factor remains the weakest link in cybersecurity. A lack of cybersecurity knowledge and neglect of best practices, such as the use of strong and complex credentials, can compromise the integrity of systems and confidential data.

The growing sophistication of social engineering attacks makes them even more difficult to identify. Thus, the human factor is a vulnerability often exploited in vishing, which psychologically manipulates victims into revealing sensitive information, even when it is protected by technological measures.

Impacts of Vishing on organisations

However, the consequences of Vishing go beyond financial losses, potentially compromising the reputation of organisations and resulting in legal and regulatory implications. Failure to comply with data protection laws, such as the GDPR, can result in heavy fines and loss of credibility. In an increasingly digital-dependent world, organisations are becoming more susceptible to this type of attack, which can damage not only financial resources but also customer trust and market positioning. The rapid evolution of technology requires organisations to adopt an integrated approach to mitigate the risks associated with attacks such as Vishing.

Strategies to mitigate the risks of vishing

Protection against vishing requires a combination of robust technological solutions, ongoing training and employee awareness. The implementation of security tools such as multi-factor authentication (MFA) or two-step verification systems is essential to ensure data security.

In addition, the use of suspicious call blockers, which analyse call patterns to identify anomalous behaviour, can reduce the risk of attack. Employee training and awareness are crucial to prepare them to identify and respond effectively to attack attempts. Conducting attack simulation exercises with real-life scenarios can be effective in preparing employees to detect and respond to suspicious calls.

However, training and awareness should not be seen as a one-off event. There should be an integrated approach that combines technological reinforcement with ongoing training. Many training and awareness programmes are still reactive, only being implemented after an incident has occurred. The ideal approach is to adopt a proactive strategy, so that employees are continuously prepared and can more easily recognise potential alerts before an attack occurs. In addition, it is important that training is tailored to the specific requirements of each area within the organisation.

Increased knowledge of cybersecurity best practices can help victims identify fraud attempts more easily. For new employees, integrating good cybersecurity practices into the onboarding process is crucial, as are regular cybersecurity training and awareness programmes to keep them up to date throughout their time with the organisation. Digital literacy not only strengthens the organisation's cybersecurity culture, but also prepares employees to deal with new threats that arise as technology evolves.

With the evolution of technologies, vishing will continue to be a growing threat. However, there are preventive measures that organisations can take to protect themselves. Implementing robust security tools such as MFA, conducting real-life attack simulation exercises, defining and formalising detailed guidelines on how to act if you are the victim of a suspicious call, and ensuring that incidents are reported quickly and effectively are measures that can significantly reduce the risks associated with vishing.

Keeping up to date with cybercriminal tactics, combined with ongoing training and awareness and an organisational culture of cybersecurity, can enable organisations to stay ahead of attacks, thereby minimising financial, reputational and legal damage.

In Jornal Económico Vishing, a fraude eletrónica que utiliza IA para imitar vozes