Vishing

By Ed Desorcy

If you’ve been keeping up with our Scam School articles, you might be familiar with the term phishing, and the increasing threat it poses to businesses and consumers alike. Phishing can be described as the act of asking a target for a piece of information under the guise of a legitimate request. These scams typically occur in the form of emails delivered to the inbox of unsuspecting users. These emails are often full of social engineering techniques like impersonation and intimidation, which allow the sender to get their point across. You can learn more about phishing in this article, Resist Getting Hooked.

What is Vishing?

Voice phishing or “vishing” is the dual-threat combination of using Voice Over Internet Protocol (VoIP) and phishing. These calls often involve advanced social engineering tactics, and more specifically, a direct human connection as opposed to an email or text message.

Although the name doesn’t exactly roll off the tongue, vishing is an ever-increasing threat to businesses and the safety of your company’s information. With the increasing popularity of VoIP as opposed to traditional landlines, scammers can fake or “spoof” their phone number, location, and even manipulate their voice without the fear of repercussion or being traced by law enforcement.

The subject matter of these calls can vary. The caller can alert you that your credit card or bank account have fraudulent activity. The caller can also claim to be from a specific agency or company and threaten legal action or incarceration unless a social security number is provided, or a fee is paid. Common scams include impersonation of known government agencies such as the IRS or FBI.

Imagine the supposed “CEO” of your company calling you from “out of the office” to retrieve his password or to get other sensitive information. The threat of urgency, especially from an authoritative figure, can sometimes cause a person to divulge information they otherwise wouldn’t in a normal situation.

Robocalls

We’ve all had them; I’ve received 3 while writing this article alone. A robocall is an automated phone call that is made by a computer system. Once connected, the robocall delivers a pre-recorded message to a victim. These recordings use the social engineering tactics of authority, scarcity, and intimidation to manipulate the user into sharing sensitive information, such as a social security number, and personal or financial information.

Preventative Measures:

There is no easy solution to prevent vishing and robocalls. Social engineering attacks are successful because they rely on human nature and psychology to trick victims into giving away personal information. Your best weapon is awareness.

  • Be aware of what a vishing attack is. Never give away personal or financial information over the phone, especially if you didn’t initiate the phone call.
  • Authenticate the caller. Authentication is how the caller will identify themselves or the company they work for. If the caller cannot authenticate themselves in at least two ways, hang up immediately.
  • Don’t answer numbers you don’t recognize. Robocallers will often screen vast databases of numbers to see which are active. If you don’t know the number, it’s okay to let the call go to your voicemail.
  • What are they asking? Is the caller threatening legal action over your past-due student loans? Is the caller claiming to be someone from Apple who is concerned about the state of your iCloud account? Companies like Apple and Microsoft will never call you directly, and they will not use scare tactics to pry information from you.
  • Are you a winner? Have you won a free, all expenses paid cruise to the Bahamas? Recognition of when a scenario is too good to be true can often make a difference in the success and prevention of an attack.

Don’t be afraid to hang up if something about the call seems suspicious. If they’re trying to steal your information, all phone manners go out the door. Hang up and call that business directly to confirm the status of your account, or if you have any questions regarding the phone call. Remember, if you receive a call from someone claiming to be from a business and they are requesting any kind of personal information, do NOT give out any of your information.