Phishing is the tried-and-tested email scam that spoofs authoritative sources to deceive recipients into giving over sensitive information or downloading software known as malware. Vishing is its voice call equivalent of pishing. It’s a con trick with many variations that can impact individuals and organizations alike – with potentially devastating consequences.
Together phishing, smishing, pharming and vishing targeted more than 241,000 victims over $54 million in 2020. And that are just the cases that were reported to the FBI , because many cases of fraud go unreported. So how do vishing scams work, how do they impact your life, businesses and individuals, and how can you protect yourself and your family from them?
Vishing works across the consumer and business zone for one very good reason: human fallibility. Social engineering sits at the heart of the bad guys’ efforts. It is, in effect, the art of persuasion. Social engineering is about impersonating a trusted person or authority – your bank, technology provider, the government, an IT helpdesk worker – and creating a sense of catastrophe, urgency or fear that overrides any natural caution or suspicion the victim may have.
These methods are used in phishing emails and fake text messages (known as smishing). But perhaps they’re most effective when used “live” over the phone. Vishers have many additional tools and tactics to make their scams more successful, including:
- Caller ID spoofingtools, which can be used to protect the scammer’s real location and even impersonate the phone numbers of trusted firms and organizations. Last year, for example, clients of a London hotel had their personal details stolen during a breach at the luxury hotel and the scammers then used the data to mount convincing social engineering attacks against the victims, spoofing the hotel’s official number in the process.
- Multi-channel scams that might start with a smishing text message, a phishing email or a voicemail and encourage the user to call a number. Doing so will put the victim through direct to a scammer.
- Social media scraping and open source research which can provide the scammer with a wealth of information on their victims. It can be used to target specific individuals (say, corporate employees with privileged accounts) and to add legitimacy to the scam – i.e. the visher may repeat back some personal details to the victim so that they might divulge more.
Don’t answer calls from unknown numbers. Scammers use apps to spoof numbers. This means they can make any name or phone number appear on your caller ID. The local phone number you see displayed may actually be placed from overseas. Once the phone is answered, scammers will know the number is valid and will continue to call.
Vishing is most likely in corporate context to be used to steal privileged credentials or trade secrets. The FBI has warned multiple times of such attacks. Back in August 2020, it detailed a sophisticated operation in which cybercriminals researched their targets and then called pretending to be from IT helpdesk. Targets were encouraged to fill in their log-in details at a previously registered phishing site designed to spoof the company’s VPN log-in page. These credentials were then used to access company databases for customers’ personal information.
Don’t call the phone number on the pop-up tech support window on your computer. Legitimate tech support will not show you a pop-up box with a phone number to call. The scam pop-ups may include a link. Do not click the link as it could download malware on your computer or give access to the scammer.
Don’t provide your online password, username or two-factor authentication code if asked. Only scammers ask for these things. And once they have it, they can access your online account and withdrawal your money. Such attacks are more commonplace partly thanks to the mass shift to remote working during the pandemic, the FBI warned. In fact, it was forced to issue another alert in January 2021 for an operation in which similar techniques were used to gain corporate network access.
A now-infamous breach at Twitter, in which highly targeted employees were tricked by vishers into revealing their logins, illustrates that even tech-savvy companies and users can fall victim. In this case, access was used to hijack the accounts of celebrity users to distribute a cryptocurrency scam.
Although some of these scams are becoming increasingly sophisticated, there’s plenty you can do to mitigate the risk of falling victim. Some basic steps include:
- Go ex-directory, so your number is not publicly available.
- Don’t give out your credit card number and 3-digit security code to solicitations by phone, text or email. No financial institution will reach out and ask you to provide your credit card number to verify a purchase. Hang up and call the phone number on your card to verify purchases.
- Do not enter your phone number into any online forms (i.e. when buying online).
- Be wary of requests for your bank, personal or any other sensitive information over the phone.
- Exercise caution – don’t engage with any unsolicited callers, especially if they ask to confirm sensitive details.
- Never call back a number left via voicemail. Always contact the organization direct.
- Use multi-factor authentication (MFA) on all online accounts.
- Don’t send money on a cash app to someone you do not know. If you get a request to send money, verify the identity of the recipient by speaking to them directly first.
- Ensure your email/web security is updated and includes anti-phishing capabilities.
Unfortunately, vishing scammers are also out in force to target consumers. In these attacks, the ultimate goal is to make money from you: either by stealing bank account or card information direct, or tricking you into handing over personal information and logins they can use to access these accounts.
Be suspicious of unexpected or unsolicited phone calls, emails, and texts asking you to send money or disclose personal information. If you receive a suspicious call, do not accept it, hang up, and call back using a known contact number.
Tech support scams: In tech support fraud, victims are often cold-called by someone pretending to be their ISP, or a well-known software or hardware vendor. They’ll claim to have found a non-existent problem with your PC and then elicit payment (and your card details) to fix it, sometimes downloading malware in the process. These scams may also begin with a user presented with a pop-up window that urges them to call a hotline number.
Be cautious when sharing sensitive information and conducting personal or confidential business via email, since it can be compromised and used to facilitate identity theft.
Wardialing: This is the practice of sending automated voicemail messages to large numbers of victims, and usually tries to scare them into calling back—for example by claiming they have tax bills or other fines unpaid.
Do not disclose personal or sensitive information on social media sites, such as your birthdate, contact information, and mother’s maiden name.
Telemarketing: Another popular tactic is to call up claiming the recipient has won a fabulous prize. The only catch is that there’s an upfront fee required before the victim can receive their prize.
Be cautious when receiving money movement instructions via email. Call the sender at their known number (not a number provided in the email) to validate all instruction details verbally before following instructions or providing your approval.
Check your email and account statements regularly for suspicious activity. Phishing/smishing: As mentioned, scams can begin with a spoofed email or fake SMS, encouraging the user to call a number. A popular one is an ‘Amazon’ email claiming something is wrong with a recent order. Calling the number will put the victim on the line with a vishing fraudster. Protect yourself from phishing attempts and malicious links (see glossary for additional information).
I hope you enjoyed this 2021 updated Mytrendingstories scam avoidance tips and tricks overview.
Published by Benjamin