As you know advances in technology have changed our lives in many positive ways. But actually the bad news is crooks keep pace with technological innovations and adjust their scams accordingly. One of the many technology-based criminal scams is “vishing”.
What Is Vishing?
Impersonating a person or legitimate business to scam people isn’t a new thing. Vishing is simply a new twist on an old routine. In fact, vishing has been around almost as long as internet phone service. The word “vishing” is a combination of “voice” and “phishing.” Phishing is the practice of using deception to get you to reveal personal, sensitive, or confidential information. However, instead of using email, regular phone calls, or fake websites like phishers do, vishers use an internet telephone service (VoIP).
Using a combination of scare tactics and emotional manipulation, they try to trick people into giving up their information. These vishers even create fake Caller ID profiles (called “Caller ID spoofing”) which makes the phone numbers seem legitimate. The goal of vishing is simple: steal your money, your identity, or both.
You may be wondering how a vishing scammer obtained your phone number in the first place. There’s usually no simple answer to that question, but there are several possible sources. Scammers could be using stolen phone information or calling auto-generated numbers until they get a match. Particularly in 2017 and 2018, the likelihood that your number was stolen and floating around on the Dark Web is extremely high. The Equifax breach alone impacted 143 million Americans. And if you’re like me, your email address was already stolen in multiple different breaches over the years.
Not All Vishing Scammers Target Individuals
One common misconception about vishing is that the attacks target average consumers. However, businesses are also commonly in the crosshairs. Scammers may target businesses not only to obtain private user information but also to potentially scam those businesses out of money and valuable data.
A skilled scammer can even get complete access to an individual user’s targeted accounts. Unfortunately, there’s little you can do to protect against scammers who trick your bank or other businesses into giving up your information. The fault in these cases lies with business support staff who fail to follow proper procedures and instead fall victim to intelligently deceptive vishing scams.
Common Vishing Techniques
By spoofing a legitimate phone number, scammers lead people to believe the call is legitimate. At the same time, since you know that they can do this, you can’t even trust Caller ID. Yet even if you don’t answer the phone, they leave voice messages to provoke a response. Then you’ll return their call and give up your information.
Vishing can take several forms. One form targets your bank account or credit card account. For example, you might get a call from with a message such as: “Your account has been compromised. Please call this number to reset your password.”
The visher hopes you’ll hear the message and panic. Typically, when you dial the number they leave, you hear an automated recording which asks for information like bank account numbers and/or other sensitive information.
Another example is a phone call about a free offer or telling you that you’ve won a prize. But in order to redeem the freebie, you must first pay for shipping and handling. A third example is a call saying you’ve won a prize such as a cruise or Disney vacation. To claim your prize, you’re told to first pay a redemption fee. Often, they ask you to give your credit card number over the phone.
Other vishing scams include things like:
- Unsolicited offers for credit and loans
- Exaggerated investment opportunities
- Charitable requests for urgent causes
- Extended car warranty scams
What Is Vishing Banking?
Vishing banking scams are a vishing attack that involve a call from someone who says they’re from your bank or some other financial organization. They may tell you that there is a problem with your account or with a payment from your account. They might ask you to transfer money to a different account to correct the problem. However, all they’re doing is taking your money.
What Is a Phishing Phone Call?
A phone call from someone pretending to be from a bank, credit card company, debt collector, charitable organization, healthcare provider, or even the IRS. Some phishers may tell you that you’ve won a prize, like a vacation, but you need to pay a small fee to collect it. Their objective is tricking you into giving sensitive information over the phone. If you give them your information, they can access your financial accounts or steal your identity.
What Is the Difference between Phishing and Vishing?
Phishing can take many forms, such as phone call, email, or phony website. In comparison, vishing uses internet phone services (VoIP) to complete the scam. Often, this includes “spoofing” the phone number of a real business or company.
When vishers spoof a legitimate business and customers are effected, the company suffers. Even though the actual business had nothing to do with the vishing scam, the company’s reputation, brand, and image could be negatively impacted.
How to Avoid Vishing Scams?
Unfortunately, there’s little you can do to fully avoid vishing scammers. Fraud against the businesses and institutions that house your private information is completely out of your control. And fraudsters tend to ignore established “do not call” registries, as they aren’t legitimate businesses concerned about government regulations or legal consequences. Given your number is often associated with many accounts, you are likely to lose your number to scammers in a data breach at some point if you haven’t already.
There are steps you can take to avoid vishing scams. Some employ technical means, while others involve being proactive.
1. Never Answer a Call from an Unknown Number
It may be tempting to answer calls from unknown numbers. But doing so could lead you right into a scammer’s waiting arms. Additionally, picking up may only alert the vishing scammers that the number is active, leading to more calls down the road.
Instead, let the call go to voicemail. The rule of thumb is that any real person, business, or government institution that was calling for something important will invariably leave a voicemail or call back later. Many vishing scams will also leave a pre-recorded voicemail message, which will give you a chance to properly vet the whether the caller is a legitimate source.
Do note, however, that many vishing scammers will now call back immediately. The purpose of the call back is to counter the above advice. We are more likely to pick up an unknown number that calls back, as traditionally this has indicated that the caller is not only someone that we know, but that the call is important. This tactic helps define why vishing is considered a type of social engineering.
For my own part, I once received a number of calls from a vishing scammer that consistently went to voicemail with a silent message. At one point, the scammer (clearly frustrated) left a 30-second voicemail that was again silent until the last second, in which he whispered: “You will someday”. Super creepy? Yes. But it’s also a good example of why you should not answer calls from those unknown numbers.
2. If You Do Answer, Never Give Personal Information Over the Phone
Banks and government institutions should never ask for personal information over the phone. That said, banks will call you if they believe fraud may be occurring on your account. However, they will typically only call to confirm your location and alert you to the event. They won’t ask for private information in a call you receive from them. Government institutions like the IRS almost exclusively communicate by mail or occasionally email to conduct official business.
If you are asked to give personal information, ask for the caller’s name and let them know you’ll call back after acquiring an official number. The suspicious caller may try to give you a number to call back on. If that occurs, cross-reference this number with information available online. If the numbers differ, call the number you found through your online search made available from the business or institution’s website. Once you call back, inquire about the original caller to verify identity.
3. Use a Caller ID App
Google and Apple have done a lot of work over the years to improve their native caller ID methods. However, neither the Android nor iOS operating systems can effectively handle most spam calls or spoofed IDs. Thanks to the many voice over internet protocol (VoIP) options available now, scammers can easily create spoofed numbers. Hidden identities allow them to leave little to no trace of where they’re actually calling from.
A good caller ID app can help boost your phone’s spam call detection and blocking capabilities. For both Android and iOS phones, your best option may be Truecaller. Downloaded and used by over 250 million people worldwide, Truecaller has over 2 billion spam numbers locked into its database. Confirmed spam numbers are blocked, while good numbers are allowed through. If a number does end up being a vishing scam, you can add it to their database.
4. But Don’t Completely Trust Caller ID
Even with a more effective caller ID app installed, avoid numbers that are not in your phone book. You may still receive fraud calls from spoofed numbers that appear to be legitimate. Even with a caller ID app installed, let any calls not in your phone book go directly to voicemail.
5. Treat Vishing Scams as You Would Smishing Scams
Vishing and smishing scams are all in the same family. Both utilize your mobile device to target you. As with smishing, vishing scams rely on the personal nature of mobile phone contact to try to extract valuable information. However, it’s important to know that your personal cell phone number is not private. Both phone calls and text messages you receive could be from anyone, including scam artists.
Stay Safe and Don’t Be a Victim
If you have a phone, you should remain suspicious of phone calls. Whether the call is from an unknown number or from a seemingly legitimate number, be suspicious. However, if you do answer the phone, do not fall for their pressure tactics or emotional manipulation.
You don’t have to be a victim of vishing. Stay safe and be wary vishers! If you’re a business, be on the alert. Vishers are always planning their next scam. Be vigilant and take precautions to prevent your business from being the next victim.