Get The Latest Insights

By Jessica Ellis | October 19, 2021

Multi-stage vishing attacks have more than doubled since Q2, overtaking BEC attacks as the second most reported response-based threat. These two-pronged attacks differ from conventional vishing by combining malicious emails and phone calls to trick victims into disclosing sensitive information.

Emails associated with these campaigns are particularly adept at getting past attack controls because they lack the links or attachments typically flagged by security teams, opting instead to use phone numbers. Below, we take a look at these unconventional attacks and how they are executed.

What is Vishing?

Vishing (voice-phishing) scams are traditionally initiated by sms or a phone call and rely heavily on brand impersonation to trick victims. In these attacks, the threat actor falsely claims a purchase has been made, unauthorized account activity has occurred, or that the victim’s account has been locked. In order to remedy the matter, the actor requests the victim provide personal identifiable information (PII), account credentials, or other sensitive information.

However, we are seeing an increased shift away from standard vishing tactics to multi-stage attacks initiated via malicious email. In these campaigns, actors are using a mobile number in the body of the email as the lure, then relying on social engineering and impersonation to trick the victim into calling and interacting with a fake representative. In each example below, the threat actor uses a free gmail account to deliver the attack.

Example 1

The first example using this two-pronged approach impersonates an online payment system. In the email, the victim is notified of a fake payment made to a global retailer and given a call-to-action to reach out via the number listed if there are issues with the transaction.

The large transaction amount coupled with a common subject line “Confirmed” are used to inspire urgency as well as blend in with legitimate, post-purchase emails. The message also claims that the mailbox is not monitored and discourages replying directly to the email with questions, leaving the phone number as the only method of communication. When the victim calls the attacker, they will be prompted to disclose sensitive information, including PII and banking credentials.

Senders Address: [email protected]

Example 2

The second example falsely states the recipient has purchased a camera. The actor again impersonates an online payment system and uses the their logo in the body of the email. The large transaction provides a sense of urgency, while the order details make the email seem legitimate.

Sender’s Address: [email protected]

Example 3

Our third example falsely indicates that the victim has purchased a security product, provides the payment amount, and includes details of the product features. It spoofs the security product’s brand both in the email body, as well as the Sender Display name. Unlike the previous examples, this message adds more urgency to the notice by stating the victim only has 24 hours to open a dispute regarding the transaction.

Sender’s Address: [email protected]

The variations of examples are unlimited and will continue to improve. The rise in multi-stage vishing volume demonstrates how threat actors are constantly evolving their tactics to increase their odds of success. Similar to the top response-based threat, 419 or Nigerian Prince scams, these attacks are easy to deploy and unassuming in nature, making them particularly difficult to detect. PhishLabs is continuing to monitor vishing threats as they develop.

Additional Resources: