Uptick in Vishing Scams – My information Resource (blog.mir.net)

The NJCCIC observed an uptick in vishing scams, a form of phishing over the phone. In these calls, threat actors attempt to gain trust and legitimacy by sharing some of the recipient’s personal data, such as name, age, and address. However, this data is typically an aggregated set of publicly available information found online. Some of this information may be outdated or pertain to a partner instead of the call recipient. The phone numbers used in vishing scams vary and change frequently, and threat actors often spoof official phone numbers to appear legitimate. Vishing calls may be persistent, and threat actors may contact potential victims multiple times daily.

Threat actors claim authority or legitimacy by impersonating various governmental agencies, financial institutions, organizations, and individuals to convince the call recipient to provide additional sensitive information, such as personally identifiable information (PII), financial information, or account credentials. They also convey urgency to extort money by persuading the call recipient to purchase fraudulent goods or services or grant access to their accounts or devices. The acquisition of additional information and this fraudulent activity can facilitate further cyberattacks.

In some instances, threat actors personally harass or threaten the call recipient or their known contacts. For example, a threat actor claimed the call recipient was responsible for a supposed accident and threatened them if they did not pay a hospital bill. In another example, the call recipient heard a woman crying in the background while a Spanish-speaking male claimed to be part of a cartel and demanded a $20,000 payment from the call recipient to keep the woman alive.

Additionally, a threat actor spoofed the phone number of the call recipient’s mother and demanded payment upon answering. If the call recipient did not make payment, the threat actor claimed they would kill the person they were supposedly holding at gunpoint. The call recipient heard crying in the background, disconnected the call, and contacted their mother on another line, confirming it was a scam. The call recipient’s sister also received a similar call spoofing their mother.

Furthermore, voice cloning technologies and artificial intelligence (AI) manipulations can be used in impersonation and extortion scams. Threat actors find and capture snippets of a person’s voice online, through social media platforms, in outgoing voicemail messages, or when the recipient caller answers a call. They can weaponize AI technology with the captured audio to clone a person’s voice and create fraudulent schemes, including family emergencies, kidnappings, robberies, or car accidents.