What is vishing?
Vishing is a phone scam. In a vishing attack, a scammer preys on human error by phoning their victims and attempting to get them to reveal their personal information, money, or both. The word “vishing” comes from “voice” and “phishing,” which suggests that a fraudster is dangling a hook or a lure to get unsuspecting victims to reveal usernames, passwords, or credit card details, or download malware onto their devices.
Originally, phishing attacks were mostly confined to phony emails from what appear to be a trusted source. The emails are cleverly designed to lure unsuspecting folks into clicking a link and entering the data on an illicit website. The phishing lexicon has expanded to include smishing, which uses fraudulent text messaging, and pharming, which is phishing using fake websites without the email hook.
Vishing Scams are a Real Hang-Up
Phishing accounts for an astonishing 90% of data breaches, according to Cisco’s 2021 Cybersecurity threat trends report. The FBI lists the three subgroups of phishing — vishing, smishing, and pharming — as the most prevalent threat in the U.S. in 2020, with more than 240,000 victims. And in March of that year, when the first peak of the pandemic was being felt around the world, these scams thrived and phishing emails spiked 667% globally.
The reason vishing is so successful is that it exploits the subconscious side of human nature. Vishing is a form of social engineering — that is, the criminal uses specific or “vague enough to be real” details about the victim to get them to believe the scam caller is authentic and should be trusted.
Vishing calls may come from a blocked number or a fake or spoofed phone number used to impersonate a legitimate person or organization. Fraudsters also use robocalls to carry out vishing schemes on a larger scale.
No matter what form the phishing attack takes, social engineering thrives in times of uncertainty.
How Does Vishing Work?
The person or robot placing the phone call uses a sense of urgency or the guise of an emergency to ask you questions confirming your identity or personal details, then they ask for even more information. Many of these vishing ploys used the urgency of the COVID-19 pandemic and consumers’ thirst for information (for example, free testing sites, vaccine signups, or trials) to set up phone-based credential scraping or malware-droppers through malicious websites designed to look professional, credible, and mobile-responsive. Many of these sites use branding from the Centers for Disease Control (CDC) or other health and government authorities.
The catalyst may not always be negative situations: sometimes the urgency comes from the excitement of potentially winning money, gifts, or trips. Unfortunately, it’s all fake when it comes to vishing scams. The scammer really wants your personally identifiable information (PII), financial account details, medical information, or other sensitive data. And they want you to give it to them over the phone quickly before you have time to realize it’s a scam.
Cisco reported that in 2020, social engineering attacks spiked 52% in December as people tend to let their guard down during the holidays. They also spiked in the back-to-school periods of August and September, when families were completely upended and distracted by remote learning.
Common vishing tactics to listen for:
- Your Social Security number has been compromised
- Your bank account has been red-flagged or hacked
- You’re eligible for free COVID testing or an experimental vaccine
- A charity is requesting a donation for disaster relief or COVID-19 support
- A credit card charge needs to be verified
- The IRS has discovered discrepancies in your tax return
- Your vehicle is qualified for an extended warranty
- Your computer has been compromised and requires tech support services
- There is a warrant issued for your arrest
- Your friend or family member needs money to get out of trouble
- Your friend or family member was in an accident
- You have won a free vacation (or sweepstakes, or lottery, or giveaway)
- You’re eligible for a free trial or free product for something you didn’t request
What’s at stake? What do I do if my information is stolen in a vishing scam?
When victims are tricked into sharing their name, date of birth, Social Security number, bank account details, and other sensitive information, fraudsters are equipped to commit credit card fraud, account takeovers, and identity theft using that information.
If you have shared your personal information, bank account, or credit card number in what you suspect was a vishing scam, report the call to your financial institution and government agencies. Several agencies are working to reduce fraud and capture scammers, including the Internet Crime Complaint Center (IC3), the Federal Trade Commission (FTC), and the Better Business Bureau (BBB).
Best Advice: Hang Up
- If you are worried a phone call is a scam, hang up. Calling the number back will only reconnect you with the scammer. Look up the correct number yourself through an organization’s website or phone directory, or call the number listed on your bank or account statement or the number on the back of your credit card.
- Think before you speak. If you receive a phone call from an unknown number or a familiar name you weren’t expecting a call from, do not share any sensitive or personal information — not even your date of birth. Especially if the caller requests ANY information from you to confirm who you are before proceeding with the call. Scammers want you to react and divulge your information. The person on the end of the line may sound sincere and trustworthy, but that doesn’t mean they’re legitimate.
- Is that really a government agency? Remember, the Social Security Administration and the IRS will never call you to request personal information or make threats. They conduct official business through the U.S. mail.
Vishing Lures are Breaking
Finally, there is some good news to report. As of June 30, 2021, FCC rules require telecommunications providers to implement STIR/SHAKEN authentication standards in the Internet Protocol (IP) portions of their networks so that “Americans can benefit from this important technology and start to have faith in their phones again.” These processes significantly reduce the ability of vishing scammers to spoof legitimate names and phone numbers, giving them one less way to fool you into exposing your personal and financial information.
The new rules have teeth. The FCC fined a telemarketing firm a record $225 million for transmitting approximately 1 million robocalls, many of them illegally spoofed, to sell short-term limited-duration health plans (the robocalls falsely claimed to represent well-known health insurance companies.