Unknown Number? What Is Vishing and How Scammers Pull It Off
According to the 2020 FTC Data Report, vishing constituted 31% of fraud reports, with an aggregated loss of $436 million. That's a lot of vishing.
Scammers' methods have become out-of-this-world, too.
Years ago, a social media video of a police officer taking a scam call in real time became viral. The scammer, posing as a banking representative, requested personal information on the pretext of verifying their account. The officer was uncooperative. The fraudster became aggressive, threatening legal action, including arrest.
That's only one (aggressive) example of a vishing method. This article will show you the other methods scammers use on unsuspecting victims. Below, you'll learn how to recognize different types of vishing attacks and avoid becoming a victim.
What Is Vishing?
Vishing is a form of phishing that sees criminals using phone calls or voicemail to trick victims into sharing personally identifiable information (PII). This includes physical addresses, credit card details, or social security numbers. Other times, scammers deceive the targets into transferring funds directly.
The ultimate goal of scammers is typically financial gain. However, vishing attacks can happen for other reasons, like identity theft and a desired account takeover.
Vishing attacks can happen to both individuals and organizations. Like other types of phishing – via email and text messages – scammers impersonate parties like government representatives or financial institutions. This helps them gain the victim's trust.
How Does Vishing Work?
Cyber attackers don't start their cons by cold-calling random numbers. They obtain potential targets' information from data leaks or social media. They then use various social engineering techniques.
First, they bait targets with emails (phishing) or texts (smishing). These would require recipients to click a link, call the number provided, or reply to the text message. By responding, the victims confirm the email address or phone number is active. The scammer, therefore, proceeds with the scheme.
Voice phishers initiate calls using the phone number from the email or text message. Sometimes, though, even the potential victim initiates the call.
With the target on the phone, cybercriminals can do either of two things: pretend to be someone the target knows or inform the target they need to perform an action (make payments, for example) to avoid penalties or receive rewards.
Difference Between Vishing and Phishing
Vishing and phishing share the same goals and social engineering tactics. However, they differ in the medium used to perform these cons.
Phishing attacks happen over email. They mimic the design and format of emails from companies you know or use. The email message ranges from there being a suspicious login on your account to a discount offer. The goal is to get you to open a malicious attachment or click a pharming link.
Vishing attacks, meanwhile, happen over the phone. A call center agent, for instance, can receive a call from an "IT support technician" requiring login details. This "technician" may say they need to conduct routine maintenance checks on the computer device. So, in the end, the agent releases the sensitive information.
Vishing attacks are harder to spot than phishing attacks. People aren't familiar with company representatives' names or voices. In essence, anyone who talks over the phone can have a legitimate concern. The victims, therefore, end up entertaining the scammers without suspecting anything.
Some vishing schemes also rely on the use of interactive voice response (IVR) systems. With these automated messages, human interaction is bypassed. The result is that spotting the fraudster behind the scheme becomes difficult.
4 Ways Scammers Pull Off Vishing
Voice scammers rely on human behaviors, such as fear of punishment, appeal to authority, and willingness to be helpful to pull off scams. So, they usually do one or more of the following:
1. Pretend to be government representatives
Many people fear or defer to the authority of the government. Additionally, institutions like the Internal Revenue Service (IRS) or the Social Security Administration (SSA) already have your personal details. So, you wouldn't typically find it suspicious when their "representative" asks you to "confirm your identity."
2. Create a sense of urgency
Scammers don't want to give you time to question the call. So, they apply the pressure of a short deadline. The goal is to create panic and compel you to solve the "problem" immediately.
For instance, some scammers ask small business owners to pay hundreds of thousands of dollars within a period. The scammers' reasons range from the money being a requirement for processing small business grants or serving as a down payment for an office rental.
3. Extract personal information
Many reputable companies ask you to confirm your identity before serving you.
For example, is your email email@example.com? Since vishing scammers don't have the answer to the question, they pose as companies. Then they try to verify email addresses by getting you to explicitly state that it's your email.
4. Pretexting to gain a victim's trust
Cyber attackers create scenarios that compel the target to divulge information they wouldn't normally share. For example, a tech support agent asks for your password to "install a new program." You'd be forced to give up the password since the company's use of the "new program" depends on it.
In all these scenarios, the key is to be discerning. Note that government offices communicate primarily via certified mail. Legitimate IT personnel have backdoor access permissions and don't need your password.
Follow These Tips to Avoid Vishing Scams
Now that you know what a vishing attack is, here are ways to avoid them. Avoid falling into social engineering traps by doing the following:
Don't reveal personal information over the phone: Legitimate companies don't ask for passwords or sensitive data on the phone. Never share this information with anyone. Don't entertain prompts from prerecorded messages.
Verify the identity of a caller before providing any information: Ask the caller for their name and tell them you'll call back after verifying their identity. If the caller is reluctant, they're likely a scammer.
Contact organizations directly: Verify specific events mentioned by the supposed government or business representative over the phone. For instance, let's say a caller says your bank account has been hacked and needs to be verified. Get the bank's phone number on the website. Call to verify.
Keep personal information secure in general: Vishers get contact information from various sources. They can get this by using spyware, social media, or data leakage. So, don't overshare on social media, install anti-virus software, and use email encryption
The best tip to avoid vishing scams is to avoid answering calls from unknown numbers. However, this isn't a serious option for businesses. Therefore, train your employees how to spot scam phone calls.
Other Examples of Vishing Scams
Vishing scams come in other forms. Here are some of them::
IRS vishing scams
During tax season, criminals impersonate IRS officers. They call about "unpaid taxes" or "issues with tax return paperwork." This scam leverages the federal agency's ability to seize bank accounts and file tax charges. Such scare tactics aren't successful when you understand the scope of what the IRS can do.
Bank account vishing scams
This type of scam involves criminals claiming to call from your bank or credit card company. They use the pretext of suspicious transactions to get you to divulge personal information and "confirm" your account.
Sometimes, vishing scammers even bait targets with a fake transaction alert like this:
This SMS text message alerts the mobile device user of a $2,750 debit from their banking account. It tells them to call the fake phone number if they did not make the transaction. In a panicked state, the target will call this number without verifying if it's the bank's official customer service number.
Social security vishing scams
Social security vishing scams target senior citizens. Scammers pose as Medicare or Social Security Administration reps. They trick victims into sharing their social security number, supposedly necessary to "reinstate suspended benefits" or "receive additional payments."
Tech support vishing scams
This vishing method involves cybercriminals pretending to be IT support technicians from a service provider. Their goal is to gain access to a computer device or application.
A typical scenario involves alerting victims of technical failure. The victims are then directed to download software to "fix the issue." The software is, in reality, malware.
How To Report Vishing Scams
If you suspect you've been a victim of vishing, report it even if the attempt was unsuccessful. Do either of the following:
Contact the FTC: The Federal Trade Commission is in charge of investigating fraud. Reporting scams to the FTC allows them to track patterns and build cases against vishers.
Report the vishing scam to local authorities: Many police departments have a fraud department to investigate such incidents. Furthermore, regulated businesses like banks must report fraud to law enforcement authorities.
Inform the relevant organization about the scam: Scams can negatively affect a business's reputation. Alerting them to fraudulent activity allows them to take measures to protect their brand and other customers.
Make it a point to retain evidence of vishing attacks. This includes call records, emails, texts, and transaction receipts.
Voice phishing can be an effective way for cybercriminals to defraud unsuspecting people. In some ways, it's more effective than a phishing email or text.
However, like all social engineering attacks, there are signs the person you're talking to is the person they claim to be. Awareness is critical to avoiding phone scams.
Follow the tips in this article to spot scammers. That way, you can protect your data and finances before it's too late.