Voice phishing, also known as vishing, is popular right now, with multiple active campaigns throughout the world ensnaring even savvy victims who appear to know better, defrauding them of millions of dollars.
South Korea is one of the global regions hardest hit by the attack vector; in fact, a fraud in August 2022 resulted in the largest amount ever stolen in a single phishing case in the country. This transpired when a doctor sent 4.1 billion won, or $3 million, in cash, insurance, stocks, and cryptocurrency to criminals, showing how much financial harm one vishing scam can inflict.
According to Sojun Ryu, lead of the Threat Analysis Team at South Korean cybersecurity firm S2W Inc., sophisticated social engineering strategies used in recent frauds involve imitating region law enforcement officers, giving individuals a false sense of authority.
Ryu will present a session on the topic, "Voice Phishing Syndicates Unmasked: An In-Depth Investigation and Exposure," at the upcoming Black Hat Asia 2024 conference in Singapore.
Vishing attempts in South Korea, in particular, take advantage of cultural differences that allow even those who do not appear to be susceptible to such scams to be victimised, he claims.
For example, in recent frauds, cybercriminals have posed as the Seoul Central District Prosecutor's Office, which "can significantly intimidate people," Ryu adds.
By doing so and acquiring people's private data ahead of time, they are successfully intimidating victims into completing money transfers — sometimes in the millions of dollars — by convincing them that if they do not, they will suffer serious legal penalties.
Vishing engineering: A blend of psychology and technology
Ryu and his companion speaker at Black Hat Asia, YeongJae Shin, a threat analysis researcher who previously served at S2W, will focus their talk on vishing in their own nation. However, vishing scams identical to those seen in Korea appear to be sweeping the globe recently, leaving unfortunate victims in their wake.
Even savvy Internet users appear to fall for the law-enforcement frauds; one such reporter from the New York Times, who explained in a published story how she lost $50,000 to a vishing scam in February, is one of these people. A few weeks later, when fraudsters working in Portugal pretended to be both national and international law enforcement agencies, the author of this piece almost lost 5,000 euros to a sophisticated vishing operation.
Ryu explains that the combination of social engineering and technology enables these modern vishing scams to exploit even individuals who are aware of the risks of vishing and how their operators function.
"These groups utilize a blend of coercion and persuasion over the phone to deceive their victims effectively," he stated. "Moreover, malicious applications are designed to manipulate human psychology. These apps not only facilitate financial theft through remote control after installation but also exploit the call-forwarding feature.”
This suggests that there are several vishing groups active throughout the world, emphasising the need to be cautious even when dealing with the most convincing schemes, according to Ryu. To prevent compromise, it's also essential to train staff members on the telltale signs of frauds and the strategies attackers typically implement to trick victims.