Voice phishing—or vishing—is a fraudulent method in which some people contact you, claiming to represent the authorities (police, prosecutors) or employees of the IT team. Then, they request remote access to your computer under various pretexts, their real purpose being to access bank data and perform fraudulent transactions. This method has evolved rapidly, with attackers trying to obtain financial data or corporate confidential information, passwords, and access codes, and then steal money from companies or individuals. Vishing attacks are often used to infect endpoints with ransomware.
In 2021, over 59.49 million Americans lost money to phone scams, the highest number since Truecaller Insights started researching scam and spam calls in the US (2014). According to a survey conducted by The Harris Poll and commissioned by Truecaller, phone scams cost US citizens a whopping $9.8 billion in 2021. Nearly 1 in 3 Americans (31%) reported they have been a victim of phone scams, while 19% have been scammed on more than one occasion. Moreover, 3 in 5 Americans (60%) admitted to losing money as a direct result of a robocall.
The Most Common Vishing “Scenarios”
Windfall
In this scenario, the scammers tell the victims that they have won large sums of money, but they need to provide their confidential data to get hold of the money.
Your Computer Is Infected
Due to a virus in your computer, a bug has appeared in your system. The IT team needs your system and personal details to fix the problem.
A Simulated Bank Emergency
Sometimes, attackers will invoke an urgent need for your information because of some fake banking procedures, such as a blocked bank account.
Fake Support Calls
This is a method attackers use to try to get or access important data. Hackers initiate calls pretending to be part of the technical support team. An untrained employee can easily fall victim to this method.
Missed Call Fraud
One can receive a missed call from a phone number outside the country. When the victim tries to call back, they usually call a premium rate number.
Robocall Scam
In the study cited above, we were able to observe the level of damage robocall scams can cause. In this scam, attackers initiate a pre-recorded call to all phone numbers in a certain area code. The automated voice asks victims to provide their names and other information.
Protecting Yourself and Your Employees Against Vishing
To protect your employees and your company from such fraudulent methods, here is a set of basic security measures:
— Do not answer calls from abroad, especially if you do not know anyone in that country. If you do speak with a colleague from another country, and you still have doubts, always check their identity with the organization.
— Do not divulge any confidential data, such as your Internet Banking username and password,
activation code, card number, CVV2 code, or PIN. Banks will never ask their customers for sensitive information over the phone. The same goes for your login credentials on company servers. Sometimes, identifying a social engineering attack can be extremely difficult, so educating your staff could be the key here.
— Do not install applications and do not access websites on the instructions of people who contact you by phone.
— Do not assume that your contacts are trustworthy just because they know some information about you, information they can easily find out on social networks.
What to Do in Case You Are the Victim of Vishing
First, write down any details you can remember from the call. The attacker’s phone number(s), the date and duration of the call, the information you provided, the software you were told to install, and any actions you took at the attacker’s request are very important things to take note of.
Afterward, if the attack was directed at the company, contact your manager. If the attack targeted your personal data or bank account, go to the nearest police station to file a complaint and lay out all the details. Report any attempted fraud to the police, even if you did not become a victim. If you have disclosed your Internet Banking account or card details, contact the bank as soon as possible to block any suspicious transactions. Taking these steps as soon as possible might prove crucial.
Last but not least, beware of future attempts! If you have been the victim of vishing, the perpetrators will most likely target you again or sell your data to other criminals.
Conclusion
With the number of vishing attacks on the rise, the best way to counter this threat is by making sure your employees are aware it exists, so they can recognize it. Simple vishing simulations should be a key part of the process of preparing your organization to respond to real cyberattacks.
