What is vishing?
Vishing (a portmanteau of the words “voice” and “phishing”) is a social engineering attack similar to phishing that uses deception and plays with the victim’s emotions – like fear, greed, or sense of urgency – to get personal information out of them. But unlike other phishing attacks, vishing scams only use phone calls and Voice over IP (VoIP) technology such as Skype and similar platforms.
What is the difference between phishing and vishing?
In a vishing attack, scammers use voice phishing to get information such as bank account numbers, phone numbers, email addresses, and anything else that could be used in future attacks or to steal your identity.
However, while phishing uses different platforms such as emails or spoofed URLs, vishing scams only use phone calls and Voice over IP (VoIP) technology such as Skype and similar platforms. Vishing attacks can also be accompanied by smishing, which includes deceptive SMS/text messages.
How vishing works
In vishing attacks, scammers pretend to be calling from legitimate companies, banks, or government institutions, or they may pretend to be someone you know. There may be a real human being at the other end of the line, or you might simply receive a voicemail from a spoofed number asking you to call back. Once you do, you’ll hear a robot asking you to enter your details to take you through to an assistant. However, in reality, you’ll be sending your details straight to a hacker.
Vishing is becoming even more sophisticated with the rise of AI and deep fake technology. It can now imitate the voice of someone you know, like your boss or your family member who’s asking for help. These are especially difficult to recognize.
There are different types of pretexts vishers might use. These are the most common vishing scams you should be aware of:
1. Telemarketing or enterprise fraud
These vishers will pretend to be calling from a legitimate company – one you’re already a client of or a company that offers deals you can’t resist. For example:
- a car insurer offering to extend your insurance
- a credit card company offering incredible discounts
- a travel agency offering you a free, all-expenses-paid holiday
- a lottery calling to tell you that you won a prize, even if you’ve never entered the competition
The trick here is that the scammers will always ask for your details or money in exchange for whatever they’re offering. Be prepared to hear phrases such as ‘you’ll only be able to claim your offer if you pay the handling fees.’
2. Government fraud
In this type of vishing attack, scammers will pretend to be from a government agency like The Internal Revenue Service (IRS) or Social Security Administration (SSA). They will play with your fear and sense of urgency, telling you that you owe them tax money and that you need to pay them back immediately. Otherwise, you’ll be fined – or worse.
They might have other pretexts and ask you to confirm your social security number to continue receiving the medical care or social benefits you are currently entitled to. Of course, all these stories are there to trick you into paying money or sharing your social security number.
3. Tech support fraud
In this type of fraud, scammers will tell you that they were notified that your device needs to be updated or that they have found vulnerabilities that need to be fixed immediately. To fix these issues, they will require remote access. However, if you agree, the scammers will have full control of your device and will be able to steal your data or install malware. Less-clever scammers might pretend to be running diagnostic tests and will ask for your sensitive details to “complete them.” They might also ask you to pay once they repaired your device that wasn’t broken in the first place.
Vishers might also try to turn this attack the other way round and make you call them. They can do so by creating malicious ads and pop-ups that look similar to your antivirus messages. These pop-ups will notify you of a system breach and that you need to call a specific number to fix it. When you call them, they will try to lure more information out of you and make you pay for their ‘service.’
4. Bank or other financial institutions fraud
In this vishing attack, the fraudster’s main aim is to get your financial information out of you. They might pretend to be calling from your bank to tell you that you have fraudulent charges or suspicious activity on your account. They will try to convince you that you need to act now to cancel them – by telling them your login info.
5. Relationship fraud
Relationship scams often target the elderly. A typical scenario is a call from your grandson or a granddaughter who is in trouble and needs your help. They might try to convince you that they were in an accident and that they are in a hospital, in jail, stuck abroad, etc. The only way for them to get home is if you transfer them a certain amount of money. To make the story more convincing, they can also provide you with a number of their doctor or lawyer, who “will provide you with more details”.
Check out our short video on vishing below.
How to protect yourself from vishing
Just like with phishing, vishing prevention involves common sense, caution, and an awareness of current threats:
- Be aware of what vishing is and what techniques vishers use. If you’ve read this post, you are already much more secure!
- Don’t give in to pressure. The hacker aims to stress you out and cloud your judgment. If you got an anonymous call and they are pressuring you into giving out your sensitive data, don’t be afraid to hang up.
- Don’t take anonymous calls. If you are anxious, you might get vished. Don’t answer unknown calls. Remember, if it’s an emergency or someone has an important message, they will either leave you a voicemail or will drop you an email.
- Be skeptical. If you think the call you’ve received might be a vishing attempt, find the number of the institution that called you and call them directly. For example, if they present to be from your bank, find your bank’s number online and double-check the information you were given.
- Limit the information you share on social media. Your profiles can provide lots of valuable information that scammers can use to make their stories more convincing. Follow this guide to make your accounts more privacy-friendly.
- Introduce security awareness training in your company. If you own a business, train your employees to recognize phishing and vishing. Hackers love to target companies as they can get better returns.
- Remember that legitimate companies or your bank will never ask for sensitive information over the phone, or will provide more secure ways to communicate with them.