Don't Be a Vishing Victim
In This Article
• What is vishing?
• How many people are targeted?
• Hackers' goals when vishing
• The common lures used
• What to do if you think you got vished
• How to prevent becoming a vishing victim
What is Vishing?
Email phishing is a method hackers use to collect information and/or install malware by sending an infected email message.Social engineering is the psychological manipulation of people to get them to do things or reveal information.
Vishing is similar, but is done via phone using “social engineering” (see box) techniques, instead of email.
The word is a mashup of “voice” and “phishing”.
According to the FBI 2019 Internet Crime Report, cyber fraud cost consumers about $57 million. The most common form of such fraud was phishing, vishing, and smishing (smishing is similar to phishing and vishing, but done via SMS text message).
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory warning about an increase in vishing attacks targeting staff at various companies.
Why Vishing Wouldn't Work 20 Years Ago
Phone lines used to be physically connected to the telephone network and their owners were easily traceable.
Now, with cellphones and voice-over-IP (VoIP) phones, it's much harder for authorities to link a phone number with a particular person. In addition, the caller ID and apparent location of a caller can be faked.
Hackers take advantage of these things to run vishing scams.
Goals of Vishing
The hackers who run vishing scams are trying to get credit card numbers, bank account info, or other personal information they can use to steal identities.
Sometimes, they try to collect money by pretending to be legitimate charities. This is more common when there's a natural disaster somewhere or, say, a global pandemic.
Hackers use one or more of the following tactics…
They use a text-to-speech synthesizer to play a fake “warning” about credit card or bank account activity.
They use “deepfake” software to replicate a trusted person's voice.
They claim to be an employee of company or a member of law enforcement.
They may provide “just enough” information about the victim to seem real and they express a sense of urgency to get people to let down their guard.
If they leave a message, they give callback number — When the victim calls, automated software answers and requests credit card or bank account info.
Sometimes hackers employ live humans to make calls (some of these callers know what they're doing; some do not).
And sometimes hackers try to get Apple or Microsoft usernames, passwords, and other info by pretending to be from those companies.
Vishing hackers will say various things to get their victims to reveal sensitive information.
They might say a credit card transaction was flagged, a large bank deposit needs to be confirmed, or a warrant was issued for the victim's arrest.
They might say the victim's social security account was compromised, the IRS sees discrepancies on his tax return, or Medicare needs to update its database.
They might pretend to be from Microsoft or Apple, say the victim's computer got hacked, and they want to help fix things.
And in a scary variation, they claim that a friend or family member is hospitalized (or in jail) and needs immediate help.
If You Think You Got Vished…
Call your bank or credit card company, but use the phone number on your bank statement or credit card. (Be careful Googling for it - hackers have been known to put up fake websites and run fake ads just so they can post their own numbers for callbacks.)
If possible, use a different phone to call back. Otherwise power down / power up your phone (This is to avoid a “no hang up” scheme on a live call where the hacker pretends to hang up, but doesn't, and can then fake a dial tone. When you try to call your bank or credit card company, you're actually calling the hacker's accomplice.)
Report it to the Internet Crime Complaint Center
Report it to the Federal Trade Commission
Report it to the Better Business Bureau
How to Prevent Vishing
Be wary of calls warning of fraudulent activity on your accounts.
Be very suspicious of any caller asking to be paid via gift cards or wire transfers.
A tip-off to an auto-dialed vishing call is a 2-3 second delay between answering and hearing a person speak.
Never provide personal or sensitive info over the phone unless you initiated the call and are 100% certain you know who you called.
Remember that government organizations like the IRS, Medicare, and the Social Security Administration do not call people asking for sensitive information.
Unfortunately, there's little value in putting your number on the national “do not call” registry - hackers using vishing schemes are not going to abide by its restrictions.
On cell phones, there are some robocall blocking apps that work fairly well, but they won't catch everything so you still need to be vigilant.
Be careful about what you post on social media - the more personal info a hacker can find, the easier it is for him to call and seem to know a lot about you, which might cause you to relax just enough to become a victim.
Vishing is yet another method hackers are using to separate people from their money and personal information. It's easy to avoid if you know what to look for and what to do if you get vished.
Have you (or someone you know) been a victim of vishing? Let us know
Get in touch if you have any questions.
Want More Info Like This?
Get our Free Newsletter