Introduction to Vishing

Guest Post

When you receive a call on your phone from an unknown number, it's nearly impossible to guess who's calling. Increasingly, it could be someone vishing you.   

Vishing is a term derived from "phishing" and "voice." Just like phishing involves malicious emails, vishing is a phone scam that is designed to compel you to provide your personal information.

Here's what you need to know about vishing scams, and how you can identify and avoid them.

Vishing Explained

When a scammer makes a vishing call, they use social engineering techniques to convince you to share your personal and financial information, such as passwords and account details. They may use different tactics such as saying that your account is compromised, claiming to be law enforcement or your bank, or offering help with installing a software program which is probably malware.

With vishing, its relatively easy to contact many people. A scammer can make hundreds of calls at one time using a Voice over Internet Protocol (VoIP) and spoof the caller ID in order to trick your caller ID into displaying a trusted source such as your bank.

Some Common Vishing Scams

Here are some common vishing scams used by criminals:

A Compromised Credit Card or Bank Account
The scammer will either call you personally or send a recorded message that tells you that there is an issue with your payment. They will then proceed to ask for your login details to fix the issue or request that you make a new payment. Rather than giving out your information, call your financial institution directly on their publicly available number.

An Unsolicited Investment or Loan Offer
A person will call you with an offer that seems too good to be true. For instance, they will tell you that you can earn millions of dollars on a small investment, have your student loans waived or pay your debt with a quick fix. Typically, you will be asked to act fast and even lock in the offer with a small fee. If money is involved, don't fall for it. A legitimate investor or lender never calls out of the blue with lucky offers.

Social Security or Medical Care Scam
This technique is usually targeted at older adults or senior citizens. An individual poses as a medicare representative and tries to obtain information from the victim – such as their medicare number or bank account number. They then either steal money from their account or use their medical benefits. They may also claim that they are calling from the Social Security office and threaten to suspend the victim's Social Security Number if they don't share their information.

IRS Tax Scam
This scam has many variations to it, but typically, there's a prerecorded message that tells you about an issue in your tax returns. It then says that if you don't respond, you will be arrested. The call is usually from a spoofed ID which makes the call look like it's from the IRS.

How to Identify a Vishing Scam

Being vigilant and staying updated is key to spotting a vishing scam. However, here are some tell-tale signs that can instantly help you identify them:

  • There is a sense of urgency in the caller's message. A scammer will try to develop fear by using threats or mentioning undesirable consequences in case of nonaction. If you receive any such call, stay calm and never give out your personal information. Always hang up and try to do your own investigation by calling the institution's publicly available number.

  • Caller asks for your personal information. They may ask you personal questions such as your name, identity number, birth date, address, social security number, credit card details, and bank account information. To establish their legitimacy, they may provide you with information that they already obtained from public sources or data leaks.

  • You will receive a call from a number that does not seem like an official number. When a real representative calls you from an institute, they call from their official UAN number or a landline extension. Scammers may call you from a VoIP number or a personal mobile phone number, which is a clear indication of a vishing scam.

  • You receive an unsolicited call from a person claiming to be a representative. Unless you are expecting someone to call from your bank or Social Security Administration none of these agencies will call you to ask for your personal information over the phone.

How To Avoid Vishing Scams?

Apart from staying knowledgeable about how vishing works, you can also do the following:

  • Don't pick up calls from unknown numbers. Though you may be tempted to pick up every call, you can simply let it go to voicemail. A caller ID can be faked, so you can never be sure who is calling. Voicemail will help you avoid acting in haste. Listen to the message first and then decide whether you should call the person back.

  • Hang up at once. The moment you suspect that it's a scammer making a vishing call, hang up. You don't owe it to them to carry on a polite conversation.

  • Verify the identity of the caller. If a person gives you a number to call back on, don't do it. Instead, search for the official number online or on an official letterhead or email.

  • Don't respond to prompts. In case of an automated message, you may be asked to press buttons and respond to a number of questions. For example, the message might ask you to "press 1 to talk to the operator." Such tricks are used to identify potential targets for future calls, or to record your voice to use for your voice-automated accounts.

What can you do as an organization?

To protect your organization and employees from falling victim to vishing scams, take proactive steps and include vishing as a necessary part of your security awareness trainings. There are also several vendors that offer simulated vishing platforms to help you discover how vulnerable your staff's attitude is towards scammers, while also demonstrating to the employees the nature of the threats they might face.

More Stories Like This:
Politely Paranoid: the current state of cybersecurity
Social Media and Cybersecurity
How Hackers Are Targeting NASA

David Smith is a cryptographer with 12 years of experience in both the public and private sectors. He is currently working on his second startup (currently in stealth mode) that will track and interpret the use of contactless payments. His expertise includes system design and implementation with contact and contactless smart cards, smart card personalization, mobile payments, and general knowledge and experience with APAC market trends and consumer preferences. David occasionally consults with smart card companies like Cardzgroup.

About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.