The Growing Threat of Vishing: How Cybercriminals Are Using Multimedia to Target You

Summary:
Vishing, or voice phishing, is a social engineering attack that manipulates victims into revealing confidential information over the phone, often after being lured in by fake emails, PDFs, or image attachments. These scams typically impersonate trusted organizations like banks or tech companies and create a false sense of urgency to pressure users into calling a fraudulent phone number. From there, attackers impersonate customer service representatives and extract personal data such as passwords, credit card details, or account numbers.

Traditional vishing methods are evolving rapidly, making them harder to detect as attackers increasingly use legitimate-looking attachments to bypass security filters. Recent developments in vishing tactics include the use of MP4 and WebP file attachments. MP4 files, commonly associated with harmless video content, are increasingly being used by cybercriminals to carry malicious content. Because MP4 files are typically seen as safe by security systems, attackers use them to evade detection, sending phishing emails that contain vague or suspicious content, hoping to spark curiosity in the recipient. Similarly, WebP files, a newer image format known for its ability to compress images for faster web loading, are also being used in vishing emails. These files are often overlooked by email filters, as they are typically seen as innocuous.

Security Officer Comments:
Threat actors are continuously identifying/employing new attack vectors, increasingly making it difficult for both individuals and organizations to detect and prevent attacks. The use of seemingly harmless MP4 and WebP files to carry malicious content bypasses traditional security systems, putting unsuspecting victims at greater risk of falling for scams. As these attacks become more sophisticated, they increase the likelihood of financial loss, identity theft, and even corporate data breaches. Additionally, the psychological manipulation involved in creating a sense of urgency or curiosity leaves victims vulnerable to impulsive decisions, further amplifying the success rate of these scams. The growing complexity of vishing tactics highlights the need for more advanced security measures and heightened awareness among users.

Suggested Corrections:
Here are some red flags to help you spot a vishing email:
  • One of the key red flags in these sample emails is the use of unfamiliar file attachments, such as MP4 and WEBP, which is highly unusual for legitimate communications. Most reputable companies do not send emails with such attachments for invoices. Instead, they typically provide invoices in PDF format or through secure online portals.
  • MP4 and WEBP attachments contain invoices that may appear legitimate at first glance, but upon closer inspection, they reveal fake contact details designed to mislead recipients into calling a scammer. Additionally, there is a sense of urgency created to pressure the recipient into calling the number immediately to cancel the subscription within 24 hours.
  • The use of free email services to impersonate trusted organizations is a common tactic. Scammers frequently rely on freemail services to disguise their identity and make their emails seem legitimate. Legitimate companies do not rely on free email services for official communication.
Link(s):
https://www.trellix.com/blogs/resea...criminals-are-using-multimedia-to-target-you/