Avoiding Vishing Scams: Everything You Need to Know to Spot & Prevent Phone Scams
You’re probably familiar with the identity theft tactic known as phishing. How much do you know about “vishing,” or “voice phishing,” though?
There's been a troubling increase in the number of attempted vishing attacks in recent years. According to data from Statista, nearly 70% of survey participants have experienced vishing attempts. That’s a 30% increase compared to 2020.
What's even more alarming is that this is not just the work of isolated scammers. Entire call centers are now being set up for the sole purpose of vishing. A notable example occurred recently in Ukraine, where authorities arrested 40 individuals linked to a large-scale vishing operation.
This clearly underscores the growing sophistication and organization behind these attacks. But, what does this mean for businesses, and can you do anything to stop vishing attacks? Let's find out.
Recommended reading
- Address Fraud: How Criminals Swap Addresses to Abuse Victims
- The Top 10 Prepaid Card Scams to Watch Out For in 2024
- How do Banks Conduct Credit Card Fraud Investigations?
- What is Synthetic Identity Theft? How Can Merchants Stop it?
- Increase in Fraud in APAC Highlights Need for Solutions
- What is SIM Swapping Fraud & How Does It Work?
What is Vishing?
- Vishing
Vishing, often called voice phishing, is a form of cybercrime that leverages telephone calls to illicitly obtain sensitive personal information. Scammers employ social engineering strategies to persuade victims into disclosing confidential details, such as bank account access, over the phone.
[noun]/və • SHiNG/Like all forms of phishing, vishing relies on creating a sense of urgency and legitimacy to dupe the victim. Callers frequently pose as representatives from reputable institutions like government agencies, tax offices, or the victim's own bank to gain their trust.
To compel action, these fraudsters often resort to aggressive tactics. Some employ intimidating language framed as legal advice to coerce victims into complying. The scammer may insinuate that the victim could face legal repercussions if they don’t follow the scammer’s instructions. Another common approach is to leave ominous voicemails insisting on immediate callback. The message threatens outcomes like arrest or account suspension to induce a sense of panic.
In the end, the caller’s goal is to trick their victim into handing over sensitive information. Account numbers, passwords, personal data — all are common targets for vishing scammers.
How Does Vishing Work?
Executing a successful vishing attack generally involves a bit more nuance than merely dialing random numbers. Scammers often pre-prepare, and are armed with confidential details they've already snagged through other means like emails, bogus websites, or data breaches. This data is then leveraged to build trust and persuade victims into sharing critical information.
You might be asked for additional details during the call, like your full name and address. These fraudsters could also record your voice as you give verbal consent, which they may use for biometric spoofing. Or, in some cases, you might receive an accompanying text or email that prompts you to enter sensitive data.
Here's a breakdown of the typical vishing process:
Step 1: The Investigation
The scammer initiates the scheme by gathering information on potential targets. They may send out phishing emails, hoping for a response that includes a phone number. Or, they may use software to make calls to numbers sharing a targeted area code.Step 2: Laying the Bait
If the victim has previously fallen for a phishing email, they're less likely to suspect a follow-up phone call. Fraudsters capitalize on this trust, especially if the victim is anticipating a call. They know that calls from local area codes are more likely to be answered.Step 3: Making the Pitch
The scammer taps into basic emotions like trust, fear, greed, or even a desire to help someone in need. Using social engineering tactics, the scammer persuades the victim to take some action. For instance, sharing sensitive personal information like bank details, transferring money, or sending confidential workplace documents.Step 4: Sinking the Hook
The scam doesn't end once the fraudster has secured the information or action they were after. They can proceed to exploit this, draining the victim's bank account, or making unauthorized credit card purchases. They may even leverage it to con the victim's colleagues into releasing more confidential data.Some vishing schemes provide a callback number for the victim. This is a way of lending an air of legitimacy to the scam. The callback number could be for “tax processing” or “covid-19 test results,” for example.
This extra touch adds a layer of authenticity and instills confidence in the victim. Should the victim call this number, they may encounter a voicemail, or speak to another accomplice who keeps the scam running.
Examples of Common Vishing Tactics
A crucial element in any phishing attack, including vishing, is the use of social engineering tactics. That’s why maintaining a healthy skepticism of any caller employing forceful, urgent, or persuasive language is essential.
Vishers often impersonate callers from trusted institutions like Microsoft, Amazon, or healthcare providers. None of these entities would call to ask for sensitive financial information or security codes over the phone, though.
Here's a rundown of ten common strategies employed in vishing attacks:
#1 | Automated Dialing
Scammers target specific area codes and kickstart an automated message that impersonates a local institution, like a bank or police department. The message may prompt the listener to divulge personal and financial details under the guise of account verification or security checks.
#2 | VoIP Masking
VoIP technology allows fraudsters to hide behind untraceable numbers, often masquerading as local or toll-free numbers. Some even configure VoIP numbers to appear as if they're originating from credible institutions like hospitals or government agencies.
#3 | Caller ID Manipulation
In this approach, scammers tamper with the caller ID to disguise their identity. They often appear as "unknown," or mimick legitimate entities like the IRS or law enforcement.
#4 | Dumpster Diving
Scammers may scrounge through waste bins behind banks or corporate buildings to find useful information. They use the information gathered to launch targeted vishing attacks known as “spear-vishing.”
#5 | Alarmist Messages
Scammers leave voicemails that create a sense of urgency, like warnings of compromised bank accounts or pending IRS action. When you return the call, they're primed to collect your sensitive information.
#6 | Pre-Attack Info Gathering
Some elaborate schemes involve detailed research on potential victims to establish credibility and lower the target's guard. This makes such attacks harder to identify.
#7 | Multichannel Attacks
In addition to phone calls, attackers might send emails as a part of their scheme. The email serves as a precursor to the phone call, creating a false sense of security and verification.
#8 | Phony VPN Setups
Posing as IT support, fraudsters may guide employees to log into a fake VPN page. Through this dummy page, they can capture login credentials to infiltrate an organization’s network.
#9 | Encouraging Callbacks
Also known as “reverse vishing,” the scammer leaves a message asking the victim to return the call about an urgent matter, often providing a case number for added legitimacy. Because the victim initiates the call, they're more inclined to trust the situation.
#10 | Counterfeit Two-Factor Authentication
With this tactic, the scammer sends a false two-step verification request from a reputed service like Google or Apple. The scammer poses as customer support. When the victim engages, the scammer collects the verification code and gains account access.
These methods prey on the human propensity to trust and act urgently during phone interactions. That’s why it’s important to always remain cautious. Seek to confirm the identity of anyone requesting personal or financial information over the phone.
The success of vishing has led scammers to explore new, similar tactics.
Security experts have issued a warning about a new and sophisticated form of vishing known as “Letscall.” The scammer first tricks victims into downloading malicious apps from a bogus Google Play Store site. Once the malware is installed, calls are rerouted to criminal-controlled call centers where trained agents impersonate bank officials to extract sensitive information.
Reports also found that impersonation attacks on social media are on the rise, too. There was a 339% jump in brand impersonation and a 273% increase in executive impersonation in 2022.
10 Vishing Red Flags to Be on the Lookout For
The perpetrators are becoming more clever. So, knowing how to spot the red flags and protect yourself from falling victim to vishing scams is crucial.
With that in mind, here are ten red flags to watch for that can help you identify a vishing attempt:
#1. Unexpected Calls
Be wary if you receive a call don't anticipate a call from an organization, especially one asking for personal or financial information. Legitimate organizations don't request sensitive data over the phone unless you've specifically asked them to call you for a certain purpose.#2. Pressure Tactics
Scammers often use high-pressure tactics to force a quick decision. They may claim that your account has been compromised, that you owe money, or that you face some other urgent situation requiring immediate action. Legitimate companies will give you time to think and verify information.#3. Generic Greetings
The scam call often starts with a generic greeting like "Dear Customer" instead of using your real name. This is an immediate red flag, as most organizations that would require sensitive information would also use your name to personalize the interaction.#4. Call-Back Numbers
If the caller provides a number for you to call back to verify their identity, don't use it. Instead, look up the official contact number for the organization and use that to initiate any further conversations.#5. Inconsistencies in Caller ID
Be wary of calls for which the caller ID doesn't match what the caller claims, or is a number that's just slightly off from a familiar number. Spoofing technology can make it appear as though the call is coming from a legitimate source when it's not.#6. Request for Unusual Payment
Scammers often ask for payment in non-traditional forms like gift cards, wire transfers, or cryptocurrencies. Legitimate organizations will have standard payment options and will not rush you to use an alternative method.#7. Bad Script or Dialogue
Listen for inconsistencies, misspeaking, or language that seems overly complicated or poorly worded. Legitimate organizations typically use clearly scripted language for customer service interactions.#8. Background Noise
A legitimate call center will usually sound professional. Be careful if you hear a lot of background noise or what sounds like a home environment.#9. Asking to Verify Information
Be suspicious if you are asked to verify information that the organization should already have. This is especially true for sensitive information like your Social Security number or bank account number.#10. Two-Step Verification Warning
If you receive a call shortly after receiving a two-step verification request that you didn't initiate, that's a red flag that someone might be trying to hack into your account.Remember: always trust your gut. If something doesn't feel right or you're uncomfortable, hanging up and verifying the situation through other means is best.
Don't let yourself be pressured into giving away personal or financial information over the phone. The only thing that can help you avoid becoming a victim of vishing scams is being informed and vigilant.
How to Prevent Vishing: Tips for Consumers & Merchants
Vishing attacks are a pervasive problem affecting not just individual consumers, but merchants and businesses, too.
Consumers are often targeted for their personal and financial information. Merchants, however, are vulnerable to more elaborate schemes to compromise their systems, steal customer data, and conduct fraudulent transactions.
Both parties need to be vigilant and employ robust preventive measures to protect against attacks. Here are our top 10 tips for consumers and merchants to avoid vishing scams:
For Consumers
- Two-Factor Authentication (2FA): Enabling 2FA on all your online accounts adds an extra layer of security by requiring a second form of verification, like a text message or authenticator app, in addition to your password.
- Email Vigilance: Be careful with unsolicited emails, particularly those that ask for personal information or contain links and attachments. Verify the sender's address, look for grammatical errors, and be suspicious of generic greetings.
- Regular Software Updates: Keep all your software and antivirus programs up to date. Security patches are regularly released to fix vulnerabilities that vishers could exploit.
- Check URLs: Before clicking on a link, hover over it to see where it leads. A mismatch between the text of the link and the actual URL is a red flag. Also, ensure that websites use https protocol, indicated by a padlock icon in the address bar, for added security.
- Education & Training: Stay informed about the latest phishing tactics and how to recognize them. A well-informed user is the first line of defense against phishing attacks.
For Merchants
- Employee Training: Educate employees about the risks of phishing attacks and how to recognize them. Conduct simulated phishing tests to evaluate their readiness and reinforce training.
- Secure Payment Systems: Use secure and updated payment gateways to handle transactions. Ensure compliance with Payment Card Industry (PCI) security standards to protect customer data.
- Network Security: Implement robust firewalls and intrusion detection systems. Regularly monitor and audit network traffic for suspicious activity.
- Access Control: Limit access to sensitive data to authorized personnel only. Use strong, unique passwords and employ multi-factor authentication for critical information systems.
- Regular Backups: Keep frequent backups of important data to mitigate the damage in case of a successful attack. Ensure that backup systems are also secure to prevent them from becoming a secondary target for attackers.
By adopting these practices, consumers and merchants can significantly reduce the risks of vishing attacks. Vigilance, education, and a strong security infrastructure are key in defending against this ever-evolving threat.
FAQs
What is the difference between phishing and vishing?
Phishing is a type of online scam that often uses email to deceive recipients into revealing sensitive information or clicking on malicious links. Vishing, short for “voice phishing,” takes the scam to the phone lines, where fraudsters use voice calls to trick individuals into giving away personal details.
Phishing often relies on text communication, usually via email. Vishing uses spoken conversation to exploit victims.
What is a vishing attack?
Vishing, often called voice phishing, is a form of cybercrime that leverages telephone calls to illicitly obtain sensitive personal information. Scammers employ social engineering strategies to persuade victims into disclosing confidential details, such as bank account access, over the phone.
How common are vishing attacks?
Very common. According to data from Statista, nearly 70% of survey participants have experienced vishing attempts; a 30% increase compared to 2020. Furthermore, 1 in 3 Americans admit to being a victim of a phone scam, and 1 in 5 Americans say they've fallen for a phone scam more than once.
What is the meaning of vishing?
Vishing is a portmanteau that is short for “voice phishing.”
What are the signs of vishing?
Signs of a vishing attack often include unsolicited phone calls from unknown or spoofed numbers claiming to be reputable entities, such as banks or government agencies. The caller usually employs urgent or threatening language to create a sense of immediacy, pressuring the recipient into divulging sensitive information. Additionally, the scammer might already possess some personal information to appear more convincing, using it to request further confidential details or verification codes.