Coming shortly after the biggest hack in Twitter history, the Federal Bureau of Investigations (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about the increase in vishing campaigns targeting employees of numerous companies. This rise in voice phishing scams is partly related to the high number of people working from home due to COVID-19, and the need it’s brought about for remote verification.
However, remote workers are not the only ones who might be targeted by a vishing attack. Anyone can become a victim if they are not aware of how this type of scam functions. Here’s a detailed look at what vishing is, how it works, and what you can do to protect yourself against voice phishing scams.
What is vishing
Vishing, a combination of the words ‘voice’ and ‘phishing,’ is a type of phone scam that tries to trick victims into giving out personal or sensitive information. It’s also referred to as “phone spear phishing” or “voice phishing.” The goal of a vishing attack is usually to steal someone’s identity or money, or both. Vishers leverage people’s trust of the human voice to further exploit the social engineering techniques of typical email or fake website phishing scams.
How does vishing work?
Vishers use high-tech methods to carry out their attacks, involving tools like automated voice simulation to impersonate a person or business. Using voice over internet protocol (VoIP) technology, scammers can make hundreds of calls at a time and even create fake Caller ID profiles (known as Caller ID spoofing) that provide legitimate looking phone numbers.
Once they have their victim on the line, they will prey on emotions like fear or greed to convince them to reveal information like credit card details or passwords. They might even make use of information gathered about their target from the internet or social media. If someone doesn’t answer the phone, a visher will leave a voice message so their call will be returned.
Tips for spotting and avoiding voice phone scams
We know that vishers often carry out their scams by spoofing a legitimate phone number, so Caller ID isn’t foolproof against this kind of attack. Instead, it’s important to be aware of the common characteristics of a vishing attack. Let’s walk through what to look out for in a voice phishing scam and tools you can use to protect yourself.
In many cases, a vishing scam caller will pretend to be an expert or an authority in their field. Often this means posing as tech support, someone from your bank, or an employee of a governmental organization like Medicaid or the IRS. If you are skeptical of their claim, ask the caller to verify their identification. Request further contact information so you can also authenticate their identity by calling their place of business or organization directly from a number your find on their website, not the number you were called from or one that was given to you.
A second red flag for vishing scams is a sense of urgency. Vishers try to pressure their victims to give out information by making it seem like it’s a dire situation that will become dangerous if you don’t act fast. Don’t panic. Try to slow down the conversation and start documenting all the information you are being provided. Most importantly, do not give out any personal information!
Be aware of any additional correspondence sent to you by the caller as well. Don’t click on any links in emails or SMS text messages that could be part of a smishing attack. Avoiding these links can save you from downloading malware, which would give the scammers further access to your device or the chance to steal sensitive information.
In general, if you find yourself suspicious of a caller’s intention, don’t be afraid to hang up. You don’t need to make an excuse to get off the phone and end the conversation. The sooner you break off the call, the less chance that you will be tricked or manipulated into revealing information that could be later exploited.
What to do if you’ve been the victim of a vishing attack
If you think you might have given out financial or sensitive personal information to a phone scammer, contact the financial institution of the potentially breached account immediately. Review your accounts for fraudulent activity and ask the financial institution about how to cancel or block future charges. Change your passwords for all accounts, and if you have been compromised, see if you can even change your account number. Additionally, freeze your credit reports to avoid having anyone open new accounts in your name.
Furthermore, the Federal Trade Commission has additional tips to help you avoid vishing attempts and block unwanted phone calls. On their website, you can find information about listing your number on the National Do Not Call Registry, how to officially report robocalls, and more.