‘Vishing’ uses some of the same deception techniques as ‘Phishing.’ The key difference is that ‘Vishers’ use VoIP phone systems to perform attacks instead of email and malicious websites.

Traditional landline telephony doesn’t provide the secrecy and anonymity that fraudsters require; numbers can be assigned to physical locations known to phone companies.  Caller ID spoofing is much easier using VoIP systems, so scammers are increasingly turning to such technology and taking advantage of greater anonymity inherent in internet-based technology.

Despite the different media of communication, the manipulation employed in vishing scams is very similar to that used in phishing.  ‘Vishers’ often try to create feelings of anxiety, fear, and urgency in victims to urge targets into sharing sensitive information without questioning the situation first.  Vishers also aim for the same air of legitimacy that Phishing scammers use, by creating fake caller ID profiles and using interactive voice response systems (IVR).

Vishing – What to look out for to avoid being stung

Similar to other types of deception scam, prevention is better than cure; separating the con artists from legitimate parties is the key.

‘Vishers’ often assume a variety of identities, but one of the most common is that of a bank or credit card company, as most people pay attention when they think their finances are under threat.  Often such calls contain an automated message featuring a ‘call to action.’  Such as

“Your account has been frozen due to a suspicious transaction. Please call this number to reactivate your account…’

Ignoring such a message can be difficult; you know something doesn’t feel right but you’re wary of doing nothing in case your bank account actually has been compromised.  The best course of action to take here is to contact the financial institution using legitimate channels, as opposed to the contact number given in the message.

Quite often, Vishing scammers also use temptation and opportunity to compel victims into disclosing details or making a payment:

“Congratulations you’ve one a new laptop in our weekly prize draw.  Please call this number to claim your prize…”

‘Claiming you’re prize’ will often involve paying some kind of fee that they promise will be refunded (it won’t).  They will often claim the fee is a payment to a third-party shipping provider and they’ll ask for your card details over the phone.

Alternatively, scammers may present you with an opportunity that’s too good to miss (an exclusive insurance offer just for you) or they may appeal to your conscience by asking for a charitable donation to a fabricated cause.  Ultimately, there is no single template these scammers use so when you’re being panicked into action or something seems too good to be true take a step back and proceed with great care.

Guarding against Vishing attacks

Most businesses receive countless phone calls on a working day.  Most of these will be above board, but it’s worth educating your staff on the trademarks of the Vishing scammer and the action to take to avoid becoming their next victim.

• Stay alert. You don’t trust every email so why should you trust every phone call?  Familiarise your team with the technique’s scammers use so they know what to listen out for.
• Don’t be panicked into action. Legitimate operators don’t whip customers into a nervous frenzy.  Be very wary if a caller is using emotive language to create an extreme sense of urgency.
• Remain composed and in control. A scammer may appeal for seemingly innocuous information that could be part of a larger scam such as identity theft.  Scammers often have an answer for everything, they know their script and use smooth talk to charm information out of their victims.  Don’t be seduced!  If you feel uncomfortable giving out any form of information to an entity, you’re unsure of, just hang up and get on with your day.
• Ignore unknown numbers. Legitimate callers will often leave messages prompting you to reach out to them.
• Know your bank’s security policy. Financial institutions never ask for things like online account logins over the phone…ever!  Familiarise yourself with the steps your bank would take if your account were compromised so you’re able to identify a legitimate breach.

Here at 4TC, we can help your business with all aspects of cybersecurity.  Our expertise covers a wide range of bases, from proactive maintenance and Backups to full-network anti-virus and managed anti-spam solutions.  We provide managed services, project management and advice to ensure the businesses we work with remain out-of-bounds to Cybercriminals.