It’s the act of gathering sensitive information over the phone through social engineering techniques. The attacker plays into people’s trust over the telephone system. Most are not expecting a fraudulent phone call, so it catches them off guard when it happens.
Millions are targeted this way each year and some face out-of-pocket losses. The government tries their best to put a stop to these attacks, but it’s never good enough. Hundreds of thousands of calls get blocked each month, yet many still get by and have the potential to harm you.
How Can Vishing Attacks Hurt You?
There are many ways a vishing attack can cause damage. The most notable cases involve financial loss and identity theft. The latter could take thousands of dollars and hundreds of hours to repair, which is why identity theft prevention is taken serious in the first place.
Just think … the caller only has to gather certain pieces of information about you.
This could include your name and mailing address, your credit card numbers, or even your Social Security Number. You are not aware of the information they are after, and all you can go on is the approach they take.
With the right pieces of information, the criminal will be able to generate fake IDs in your name. In turn, these IDs could get used to open new bank accounts and credit lines. You could find yourself liable for an extensive amount of damage. Yet, blocking the vishing attack in the first place would save you from all that stress.
How to Protect Yourself from Vishing Scams Attacks
There are two types of vishing attacks worth addressing, which are automated and personalized attacks. The automated attacks are less threatening as they are marketed towards every call recipient. The personalized attacks can be serious as they have pieces of information that are specific to each recipient.
That said, let’s address both types …
Blocking Automated Vishing Attacks
First, make sure your phone number is on the Do Not Call List. This will stop you from having to screen a lot of calls that are obvious scam attempts. It will not put a stop to every single possible vishing attack, though.
Second, look up the phone number that tries to call you. The majority of spam-heavy numbers will get reported on the Web by other unsuspecting recipients. These people will detail what they experienced during their phone call. In most cases, vishing attempts are done under the same phone line and thus, the power of numbers works against them. Although, there are still vishing attacks that run under spoofed numbers and these are harder to track down.
Third, listen close to the words that are said at the start of the message. An automated recording would be a sign of a vishing attempt. Most start along the lines of, “Your account was compromised.” or “Your credit card was used for fraud.” and these are easy to spot. If it’s a human voice on the other end it might get harder, but that’s a form of personalized attack.
Blocking Personalized Vishing Attacks
Another approach identity thieves take involves picking up the phone and talking to the recipient themselves. This works better if the criminal is personable and does well with convincing people over the phone. Paired with an American accent, a personalized vishing attack could be a lot harder to block for the average individual.
So, make it a rule of thumb to do a security clearance on the caller. Ask for an excerpt of your credit card number, your e-mail address, or other information they should have on file. If you cannot get enough confirmation that way, ask for a call-back number and their extension line. There is no reason for a company to reject you here, so failure to follow through indicates the caller was just a fraudster.
Yet, the caller could have a little bit of information on you. In fact, your phone number could come from a list they bought which contains other pieces of information. This means you might be able to get your mailing address read back, so it’s not a bulletproof security clearance approach. As such, the only way to keep yourself 100% safe is to always call back the caller before discussing matters in detail.
There are many ways an attacker could approach, but let’s look at some common examples.
Caller: “Hello, we are calling in regards to an account you recently set up with us. We have this phone number (read back) listed for a (recipient’s name) and just wanted to verify that this is you.”
Recipient: “Yes, this is me!”
Caller: “Wonderful (name), now I just need you to confirm your e-mail address…your date of birth…and your Social Security Number.”
As you can see in the example, a rapport is built between the caller and the recipient through the pieces of information that were available. The caller then used this trust to request more extensive details from the recipient. If this information was given up, especially the Social Security Number, a lot of damage could occur.
Caller: “Hello, this is your captain calling! You have been selected as the winner of our Caribbean Cruise. Please press ‘1’ to register to have your set of boarding tickets mailed out this week!”
You pick up the phone and right away, you won something. That’s a crazy concept and it’s never going to be real. If you did not enter the contest they are talking about, then what are they talking about? These congratulatory messages are obvious scams and as such, they often get sent through automated dialers and target everyone. In fact, “Your captain is calling” is a common congratulatory message and thousands have already reported this scam.
Caller: “Hello, this is Diane from Bank of America. We are contacting you in regards to your online banking services. It appears an individual from Israel attempted to log into your account yesterday. We also see a recent log-in on your home computer and this has caused some red flags in our system.”
Recipient: “Yes Diane, that does not make any sense. I used my online banking account this morning from my work computer, and also last night at home. There should not be any reason for my account getting accessed from out of country; I do not even have a passport!”
Caller: “Alright, we will make note of that and continue to block access from non-U.S. IP addresses. The attacker did get into your account, so we will request that you change your online banking password and any other account passwords that are the same. Before letting you go, I would like to ask if you wish to post a 1-week security freeze on your account. This would prevent any money from going out without a verbal confirmation from you first.”
Recipient: “I suppose it’s better to be safe than sorry. Sure, set that up…it should give me enough time to get to the bottom of this!”
Caller: “Perfect. I will get to that now. I just need to get your security PIN to confirm this is you, and then my system will authorize the action. Once I have that, you will be good to go!”
As you can see, this was a personalized attack against the recipient’s identity. The goal was to gather the person’s bank account PIN. In this case, the culprit could already have the login credentials for the person’s online banking and might just need the PIN to make those details profitable. Either way, you should not give out your PIN or other security information over the phone unless you are 100% certain of whose getting it.
How to Stay Ahead of the Game .. Know Their Tricks!
Vishing is just like any other type of phishing attack, in the sense that it evolves with time and the criminals get smarter about their approach. Now, there is just more focus on creating personalized attacks as everyone knows about the mass-marketed tricks.
Yet, there are still a few techniques that will never die off.
Through the use of Voice over Internet Protocol (VoIP), a caller is able to spoof the caller ID name they display when they call you. This means you could trust that it’s really your bank or credit card provider calling you, right up until the caller says something suspicious. If you have trust in the phone number itself, then it just takes a smart-worded caller to make the attack a success.
Fake Call Drop
The smartest way to answer these calls is by hanging up and calling the company back to verify the caller’s identity. Yet, the attackers have found a way to work around this strategy. They can do this by requesting the call recipient to hang up and call their bank or credit card provider back. When the recipient hangs up, the caller stays on the line and acts like the call went through.
IVR (Automated Systems)
By using interactive voice response (IVR) the caller creates an automated system for their attack. This technology allows for communication between computers and humans, through voice and DTMF tone entry variables. This is the same technology that makes it possible to press a number and get a relevant response or options list from it. An attacker can take things a step further by hacking into a VoIP server and putting their IVR software on. In fact, this approach to vishing allows for the attack to take place against the victims after they call the breached phone number.
Conclusion: Vishing is a Serious, Stoppable Threat!
Vishing is a serious threat as the attacker can obtain just about any piece of information from you if you believe them. This means you need to take the time to evaluate the caller and the reason behind the call. You cannot just trust them without knowing for sure that they deserve your trust.
There are many little preventative efforts you can make. For example, it’s not hard to take the phone number and search it in Google. If it does not match to the company the caller is representing, that would be a good sign of something bad. If everything else matches up, but they insist you do not call them back, do it anyway.
An identity thief will always find a way to approach. It’s your job to fight back and keeping yourself safe from vishing attacks is just part of the battle!