Vishing, the new telephone scam that uses artificial intelligence to imitate voices
Vishing, the new telephone scam that uses artificial intelligence to imitate voices
By Silvia Garcia, Cybersecurity Consultant at S21sec
The evolution of cyber threats has not only given rise to sophisticated cyber attacks, but has also modernized traditional methods, adapting them to new tools of the digital era. This is the case of vishing, or also known as Voice Phishing, a social engineering scam technique that, through a phone call, can impersonate the identity of a company, organization, or trusted person, in order to obtain personal and sensitive information from the victim.
This scam became popular in 2023, when the cybercriminal group Scattered Spider carried out one of the largest attacks of its kind in the US and UK, targeting employees of companies in a variety of industries. Text messages impersonating the organization's IT department were used to trick employees with malicious links, threatening to disable their accounts. This case highlighted how simple tactics can exploit human and technical vulnerabilities, underscoring the need for more robust security measures and better cyber risk education.
Phone call, a common technique in spoofing strategies
According to the latest edition of the Threat Landscape Report (TLR) by S21Sec, a leader in cybersecurity in Europe and part of the Thales Group, the growth of scams such as phone phishing represents a growing challenge, especially for the financial sector. To this end, cybercriminals are leveraging advanced technologies, such as artificial intelligence and Voice over Internet Protocol (VoIP) - a method of making calls over a broadband connection via the Internet - to create convincing narratives that mimic voices and linguistic patterns with great accuracy. This makes it easy for attackers to impersonate legitimate entities such as banks or service providers, tricking their victims into sharing sensitive information.
The most targeted profiles are usually older people, new employees or workers handling external communications, such as members of technical support teams. These calls often involve urgent situations, such as supposed security problems that require the immediate delivery of credentials or personal data. The goal of these attacks is to gain access to systems or financial information to commit fraud, steal funds or engage in fraudulent practices for personal gain.
In addition, the increasing reliance on digital tools by companies and users creates an environment conducive to these intrusions. Attacks not only have economic repercussions, but also reputational and legal damage, especially when they involve the leakage of personal data.
How can we protect ourselves from fraudulent calls in the workplace?
Preventing vishing requires an effective combination of technology, awareness, and a well-defined methodology. Companies should adopt a preventive approach, integrating security tools such as multi-factor authentication (MFA), also known as two-step authentication, and suspicious call blockers.
and suspicious call blockers, which add an additional layer of security. However, technical measures must be complemented by training and simulations of real scenarios, ensuring that employees recognize and manage these threats effectively. This should be accompanied by the establishment of corporate policies that set out the steps to be taken in the event of becoming a victim of suspicious calls.
On the other hand, it is crucial to be properly informed about the latest tactics used by attackers to prevent any kind of information leakage, being essential not to share information and to verify the identity of the caller, as they play a crucial role in risk mitigation.
Vishing, with its ability to exploit the most vulnerable side of technology, the human factor, represents a significant challenge in today's cybersecurity landscape. Therefore, only a comprehensive strategy that combines awareness, training and technology can armor companies and individuals against a threat with the right tools.
