What is Vishing and How to Avoid It?
Cybercriminals can steal sensitive information like bank account numbers and passwords. They use less sensitive information like an active address or a phone number as a tool to attack more appealing targets. Knowing the tricks criminals employ to steal data goes a long way in preventing attacks, and it all starts with knowing, understanding, and avoiding these tricks. If you own a phone, you have probably experienced one of their favorite techniques: vishing.
Phishing and Vishing
Many people are unfamiliar with the different types of attacks under cyber fraud. Phishing and vishing are two of the most common cyber frauds that most people can’t differentiate. So, before we dive into the tips on identifying and avoiding vishing attacks, let’s know the difference between phishing and vishing.
→ Dig Deeper: Social Engineering—The Scammer’s Secret Weapon
What is Phishing?
Phishing is a catch-all term for attacks that use technology to steal information. Criminals may use this data to unlock bank accounts and steal money. With enough valid information, they can start lines of credit in a victim’s name. They may also collect data as part of a larger phishing scheme. For example, accurate information about a low-level manager gives legitimacy to a phishing attack on someone in upper management.
→ Dig Deeper: How to Identify Three Common Phishing Scams
What is Vishing
Vishing is short for “voice phishing.” It falls under the general phishing umbrella. Vishing attacks happen over the phone—its specific and signature modus operandi. Cybercriminals use pressure and fear to trick victims into sharing information.
Like all other types of phishing, Vishing is a type of cybercrime. It’s one of the most commonly recorded cyber attacks that involve stealing personal information in the past decade. In 2020 alone, the U.S. Internet Crime Complaint Center recorded over 240,000 cases of phishing, vishing, smishing, and other similar cyber frauds in America.
Common Vishing Strategies, Examples
Phone-related scams have been around for years. Many consumers are wary of unsolicited phone calls. For this reason, vishing calls have to employ various strategies for a successful attack. Here are some common vishing strategies and their examples.
Call volume is a vital tool for vishing attacks. These attackers do not expect a high success rate. They know that many people will hang up on or ignore unsolicited phone calls. Instead, they cast a broad net looking for more susceptible individuals. Using a recorded message and automatic calling allows them to make many calls with the least effort.
→ Dig Deeper: Say So Long to Robocalls
Attackers will use VoIP or fake Caller ID tools to make it look like the call is coming from a legitimate number. In some cases, they may use the Caller ID signature of an actual resident. In other cases, they will create a number from the same area code as the receiver.
→ Dig Deeper: How To Stop Phone Spoofing
Targeted attacks involve extra research but have the potential for the greatest reward for criminals. Instead of a broad net, they research an individual target. By looking at public social media information, they can make it seem like the call is from an associate connected to the target’s company. This tactic will help establish trust and increase the chances of a successful attack.
Vishing attacks prey on the fears and worries that many people have. No one wants to deal with the inconvenience of an IRS audit or a frozen bank account. The caller, or the criminal, pretends to be doing a favor that will prevent a negative outcome.
Bank Account Issues
The caller pretends to be a bank representative, telling the victim there is a problem with his or her account. They may talk about unusual activity. All the victim must do is confirm the bank account number.
→ Dig Deeper: Types of Online Banking Scams and How to Avoid Them
A government organization representative is calling to inform you about a potential audit. Sometimes, the caller will represent a collection agency employee or law enforcement official about to work on your case. If you supply your social security number, they may be able to resolve things without legal action.
Social Security Verification
Working with the Social Security Administration can be challenging for older adults. Many people are dependent on their monthly checks. The threat of losing those payments can be enough to get them to share their information over the phone.
→ Dig Deeper: How to Report Identity Theft to Social Security
A friend of a friend calls to share information about a promising investment opportunity. The caller may have looked at your social media and told you about the golf tournament you were at a few weeks ago. If you want to invest, it needs to be soon. Giving your account number for membership will guarantee that you will be included.
A Phishing Vishing Combo
This scenario begins with a phishing email. The victims who reply to the email receive a follow-up phone call. This tactic gives legitimacy to the call because it is no longer unsolicited.
Another combination acts like a ransomware attack by another name. Victims click on a phishing link that downloads malware. In addition to causing problems for the machine, the malware displays a number the victim can call for technical service. The criminals receive payment for removing their program.
Recognizing a Vishing Attack
While there are variations in vishing attacks, there are some components that they share in common. Recognizing these traits will better equip you to avoid attacks.
An Unsolicited Call
The first sign of a potential vishing attack is a phone call for which you do not ask. The criminals who run these attacks use calling systems that work around the clock waiting for someone to pick up the phone.
Many vishing attacks will attempt to persuade you that the caller is someone with authority. Often, these criminals will struggle if you ask questions about badge numbers or other details. That’s why it’s important to remember that government agencies like the IRS and SSA do not use the phone for initial contact.
It is a red flag when someone needs you to give them information immediately. Vishing attackers use the fear of harmful consequences to pressure victims into sharing data. They will tell you that you need to act now or that the call is your final opportunity to fix a problem.
Need for Information
Somewhere in the script for a vishing attack, the caller will ask for information. It may start with something harmless, like asking to confirm your address. If they can get you talking, they will soon ask for more valuable information like a social security number.
→ Dig Deeper: Social Security Numbers Easily Cracked
Tips for Preventing a Successful Vishing Attack
Vishing attacks are a constant problem that requires careful attention. Now that you know what vishing is and how damaging it can be, you and your family need to be prepared when a suspicious call comes in. Follow these tips to avoid phishing attacks.
Screen Your Calls
You do not need to feel obligated every time the phone rings. If you do not recognize the number, it can go to voicemail. Your friends and family will understand if you call back in a few minutes. Screening your calls prevents vishing attacks before they can start.
The National Do Not Call Registry
Registering your number on your national data privacy legislation prevents telemarketers from reaching out to your phone. While some legitimate organizations can still make calls, other unrecognized numbers will likely be scammers and vishing attackers.
No Sharing Policy
Make it a policy not to share any information if you do not initiate the call. A legitimate business will give you a callback number that you can check. A criminal will leave the call quickly to look for another victim.
Take Your Time
Vishing attackers use speed to increase pressure. If someone claims to represent your bank or a government agency, it is appropriate to ask for time to do some research. Because these attackers want to make as many calls as possible, they will get off the line if things are not moving forward.
Keeping Your Information Safe
At McAfee, we are dedicated to keeping your data and your family safe from cybercriminals through our McAfee+, Identity Theft Protection, and Family plans. Unfortunately, we cannot protect the information you share on the phone. However, these vishing attacks are easily prevented when you ignore unsolicited calls. By preparing your family to deal with cybercrimes, you can avoid their troubling consequences.