© 2022 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Click rate for vishing scams triple that of phishing


Phishing scams that use phone calls are three times more likely to succeed, research by IBM suggests.

Targeted campaigns that use “vishing” or “voice phishing” netted a click from a victim on a dodgy link 53.2% of the time, as opposed to 17.8% for regular phishing attempts, said IBM’s X-Force Threat Intelligence report published this year.

Phishing attacks overall counted for the largest proportion of cyberattacks, with just over four in ten (41%) of breaches being initiated using this method in 2021, as opposed to 33% the previous year.

This placed phishing above remote server and brute force attacks, proving yet again that social engineering – whereby a threat actor seeks to trick a victim into giving up vital defensive data – continues to be a major factor in facilitating cybercrime.

Other forms of cyberattack typically involve using computer-based techniques, tactics, and procedures (TTPs) to break past an organization’s defenses.

Microsoft, Apple, and Google had the dubious honor of being the top three brands cybercriminals sought to mimic during phishing attacks, due to “their popularity and the trust many consumers place in them.”

Cybercrooks like to keep it social

The X-Force team obtained the information partly by conducting white-hat or authorized hacking attacks on client systems, using phishing-based TTPs including vishing attacks in penetration tests to assess the quality of their defenses.

“Attackers have leveraged phishing campaigns and social engineering with great success,” said IBM. “And particularly in 2021, X-Force observed ransomware actors rely even more heavily on phishing campaigns to gain initial access to victim networks for ransomware attacks.”

It cited as an example the Russian-based ransomware group REvil – whose ostensible disbandment earlier this year has been disputed – which used Qakbot phishing technology embedded in bogus emails to pave the way for ransom-based assaults on targeted victims.

“These emails usually have very short messages, often refer to unpaid invoices, and occasionally will even hijack ongoing email conversations and reply all with only a malicious attachment,” said IBM. “When opened, the document will instruct the recipient to enable macros which will drop the QakBot banking trojan, gaining an initial foothold on a system. The operation is then transferred to REvil ransomware actors who conduct reconnaissance and proceed with the operation from there.”

IBM studied thousands of ‘off-the-shelf’ phishing kits from all over the world, and found that nearly all of them asked for user credentials such as email and password, with credit card data also being requested in 61% of cases. Other data targeted included postal mailing address (40%), phone number (22%), date of birth (17%), identity card number (15%), security questions (14%), and ATM PIN (3%).

All kitted out… or not?

However, phishing appears to be by no means a favorable numbers game for money-hungry crooks. IBM found that many of the ready-made kits were of limited effect, having a usage lifespan of “no longer than a day” in a third of cases and commanding no more than 75 “potential victims” per deployment.

“Our investigation suggests that malicious actors who use phishing kits probably put in tedious hours with limited gains,” it said.

In light of such findings, perhaps it is fair to conclude that – despite its growing popularity – cybercrime doesn’t always pay.


More from Cybernews:

Microsoft records phishing campaign targeting 10k organizations

REvil: back at the Kremlin's behest?

Cyber college falls for password-hacking scam

Quantum ransomware gang: fast and furious

Ransomware attacks knock schools out for months

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are marked