You’ve probably heard of identity fraud. It is a scam technique where an email or other digital message is sent to you, posing as a bank or online service. It will tell you that something is wrong. Maybe your password has expired or your bank says you’ve been a victim of fraud.
There is usually a link in the email as well. If you click on it, you will be taken to a fake version of the real site. They trick you into typing in your real credentials and the attackers get your login details! Sometimes all they want is personal information that can be used against another person or in another type of attack. As if phishing wasn’t enough, now we have to deal with viking attacks: a relatively new twist on phishing that is not so easy to defend against.
What is vishing?
The word vishing comes from the words “voice” and “phishing”. So in essence it is voice phishing. Vishing is perpetrated over the phone, through VoIP applications, or any digital method of speaking to someone directly using their voice.
The vishing attack pattern
Vishing attacks are primarily a form of Social engineering attack. That is, it focuses on the weaknesses of human psychology to achieve its goals.
While each specific scam is unique in its details, they do have common elements:
- A scenario that puts you under some sort of pressure involving fear, greed, or an emergency of some kind.
- The person will pretend to be someone from a known institution or a mutual acquaintance of someone you know in real life if it is a targeted attack.
- The person on the phone will directly ask you to provide information such as a username, password, credit card number, or other personal information.
- They will then end the call at some point and use that information against you or someone else.
It is difficult to give a universal explanation of what these attacks are like because they can be very different from one to another. So let’s take a look at some of the most common scams.
Typical vishing scams
Many vishing scams are about money, which makes sense when you think about it. The attackers will pretend to be from a bank or financial institution. They will call you on the phone and tell you that there is a problem with your card or account. At some point during the call, you’ll be asked to provide your credit card numbers, or perhaps you’ll be asked to make a new payment because the previous one “failed.” In all cases, any money that leaves your account will go directly to the scammer.
There are also scams involving easy loans at low interest rates, investment opportunities that will allow you to earn large amounts with small payments, etc. All of these are scams that involve some kind of processing fee or investment payment on your part. They’ll tell you the offer is only available if you close the deal right there on the phone, and as you’d expect, you’ll never see your money or the “company” again.
There are also many scams involving government agencies. These may depend on weaknesses in the social security system. Scammers call by phone pretending to be health aid officials or social security departments. They will ask the victim for details related to these services and then use them to steal those same benefits.
Impersonating a tax collector is another popular one. This can be used to scare people into paying “fines” or facing arrest. It can be used to steal tax refunds, but get your filing information and then file it before you with your own bank details. The IRS has a tax scam page, as do most tax authorities in the world. So it’s worth checking out.
Protect yourself against vishing attacks
It can be very complicated to protect yourself against vishing. There are some basic rules you can use to make yourself less likely to be scammed:
- Never give out crucial information like a social security number, password, or credit card number over the phone.
- There is no phone emergency that requires you to act without thinking.
- Hang up and call the legitimate public number of the company the caller claimed to be from, then verify the call.
- Do not use a callback number provided by the caller.
- Never make any payment based solely on an unsolicited call.
- Use a call blocking app with a list of scammers.
- If you get a robocall, don’t answer it. However, if you do, don’t press any buttons. Just hang up.
- Never provide “verification information” to someone who has called you. Always call the legitimate public number before offering any personal information such as your name, address or number.
Vishing is often successful because it’s easier for a human being on the phone to be convincing. We often feel a social obligation to be polite or to obey someone who seems confident and authoritative.
It is especially effective against people with less computer knowledge or people who are not familiar with phishing scams in the computer world. People who still use landlines, for example, may be older and less familiar with cybersecurity issues. Now that you know what vishing is, you can successfully prevent it!