Be careful what you ‘vish’ for
You may be alert to phishing emails, but what would you do if hackers used a trusted voice to dupe you?
If you are a diligent digital citizen, then you must be following these rules already: Never disclose your passwords to anyone, change your Internet banking details and ATM personal identification number frequently, and never share your personal details with an “unknown" person.
Suddenly you get a call from your wife. She has to complete an immediate loan payment and needs your Internet banking details. You give it to her without hesitation. You call her back a while later to check if everything is fine. She says she never called you.
What just happened?
You try accessing your account online, but you are keying in the wrong password. Someone’s hacked into your account after extracting the necessary authentication details over a “vishing" call.
People now know all about phishing emails. So, fraudsters now trap victims with something more credible.
How did the call sound and look so convincing?
Vishing is a voice solicitation crime where the attacker uses the phone to extract private information or data points that could be used for further attacks—for example, hacking into your bank account.
But how did this fake caller sound like your wife? More importantly, how did an unknown number get displayed as your wife’s number on your phone?
“Phishing calls (vishing) are becoming very regular now. There are websites that let you make fake phishing calls and modulate your voice. You could take the pitch (of your voice) higher or lower and make yourself sound like someone else," says Saket Modi, chief executive officer and co-founder, Lucideus Tech, an IT risk assessment and digital security services provider.
It is even possible to “spoof" a person’s number, to make the call look legitimate. Attackers use the caller ID spoofing mechanism to make the calls look like they are coming from a known person or number. What makes vishing more dangerous is the fact that it requires no coding. All the hacker needs is a phone and an Internet connection.
Vishing attacks have a high success rate because hackers employ social engineering—where the victim is manipulated into divulging important personal details. It is an astute mixture of verbal skills and psychological triggers.
“Since the scammers can reach you at any time on your private devices, it can feel direct and personal," says Anand Ramamoorthy, managing director, South Asia, McAfee.
A vishing exhibit
One of the most popular examples of a vishing call can be seen on YouTube in an episode of Real Future (an American documentary series about technology and the future) titled “What Happens When You Dare Expert Hackers To Hack You". Kevin Roose, the executive producer and co-host of the series, took part in a security testing exercise last year at the world’s biggest hacker convention DefCon in Las Vegas.
In the exercise, the ethical hacker or social engineer called up Roose’s cellphone provider pretending to be his wife and asked for access to his account. “To make the act more convincing, and elicit sympathy from the customer service rep, she found a YouTube video of a crying baby and played it in the background, while spinning an elaborate story about how I was out of the country on business, and how, if she could just get into the account, she could get the information she needed to apply for a loan," Roose writes in a post on Fusion.net. The YouTube video has had more than two million views.
To Roose’s bewilderment, the call worked. Not only was the social engineer allowed access to his account, she also changed the password. Roose was locked out of his own account.
This exercise was conducted by an ethical hacker, but there are countless such attacks across the world. In February last year, cyber-criminals duped a senior executive at a Scottish blue-chip company by posing as his boss on the phone. The criminals convinced the executive to transfer money to an overseas bank account. The damage was immense—£18million (around Rs148 crore).
Tackling it in the future
How do you judge a trusted voice on the phone? The latest research suggests that vishing could be tackled in the future with the help of real-time audio authentication and voice biometrics.
A hacker might gain access to your details to enter your online bank account, but in the future, systems such as OTP and life history questions (What is your blood group?What was your first smartphone model?) might become obsolete. A user will be able to access important websites (email, bank accounts, etc.) on the basis of their voice, with the help of real-time audio authentication. You could call it a vocal password.
Naysayers may point out that any voice can be recreated or fabricated. But with the growing adoption of Artificial Intelligence and algorithms, a fabricated voice could be recognized in the future with the help of synthetic speech-detection algorithms. These algorithms would be designed to look out for voices created or modified using software.
These technologies are still in the pipeline, however, so a lay user needs to keep a few things in mind when dealing with fake calls.
If you receive a phone call from a bank or any organization and you think it could be a fraudulent request, check the organization’s customer service number online to see if the number is the same or not.
In the case of known numbers (number spoofing), a common technique is to rush victims into divulging information. The person might create a sense of urgency (remember the wife and the loan payment?). In such “phishy" situations, it is always a good move to ask the caller to give you more details and tell you something only that person would know. There’s a strong chance you would be laughed at. But you would still have the last laugh.
A cyber crime where the attacker obtains private information from someone over a mode of electronic communication by masking his/her true identity. A phishing attack can take the form of a fraudulent email, a malicious website or social media channels.
A cooler word for SMS phishing, smishing involves the use of fake text messages. These SMSes usually try and convince a user to call a number or click on a link to a malicious website that might leave the user vulnerable to a phishing attack.
Pharming is an online fraud technique that redirects the traffic of one website to another. The second website is usually a malicious site looking to steal a user’s personal or financial details. In most cases of pharming, a user might type in the right website address, but will still be redirected to a phoney site.