In 2019, CNN published a seemingly horrific story about a mobile phone call that originated from the user’s own number. Curious about who would call from his phone number, the recipient picked up and was greeted by a recording about the need to quickly pay for an outdated software license. Though most phishing calls don’t spoof the recipient’s number as the caller, the creativity and vigilance of voice phishing scams appear to be boundless.
Unfortunately, voice phishing scams have been so successful that attackers are motivated to find new and even more clever ways of using cell phones for profit. A quick review of 2020 predictions from security experts reveal the trend is on the upswing and evolving. One leading provider of phone call and data transparency solutions noted the drastic increase in mobile scam calls from 3.7% in 2017 to 29.2% in 2018, and expects that the data from 2019 will reveal that almost 50% of U.S. mobile calls are scam calls. And according to a report released at the end of 2019, 90 voice fraud attacks occur every minute.
Security experts predict voice deepfakes and phone number spoofing will make it even more difficult to discern the authenticity of the caller. Using spoofing, attackers can use a VoIP service such as Skype to make calls look like they’re coming from any location and number—even a contact in your address book, your bank, or your own phone. The process is quick, cheap, and easy. Combine this capability with artificial intelligence (AI) and advancements in deepfake voice technology, and calls from someone in your contacts can actually sound like that contact.
Attackers are perfectly armed to hit high-risk targets such as C-level executives and other decision-makers who have access and authority to funds as well as proprietary and confidential data. Not surprising, the industries most targeted by voice phishers include retail, banking, insurance, card issuers, brokerages, and credit unions.
Third-party blocking apps are fairly ineffective, leaving security up to the call recipient’s awareness and vigilance. And, with the growing complexity of voice phishing attacks, it can be challenging to keep up. As such, training and penetration testing are crucial to ensuring your staff are hyper-vigilant in detecting voice phishing scams. Wise companies are investing in ongoing exercises such as social engineering assessments that challenge employee susceptibility to email, voice, and even in-person phishing attacks.