Who’s Calling?
Don’t Be a Victim of Vishing Scams
Unsolicited phone calls and robocalls are often an annoyance, whether they’re asking for contributions or trying to sell you something. While some of these calls are legitimate, scams and swindles are all too common. Some phone-based attacks focus on stealing your financial details, access credentials, or other sensitive information. These are known as vishing attacks. “Vishing” comes from combining the words “voice” and “phishing.” The term refers to criminal phone fraud, initiated via a voice to-voice exchange or a malicious voicemail message.
Persuasion + Pressure = Problem
Vishing calls attempt to manipulate people through tactics known as social engineering. These psychological tricks often create a sense of urgency or fear that’s intended to pressure you into doing what the attacker wants. Another social engineering tactic is to build familiarity and trust. For example, an attacker or social engineer could start by researching your organization to gather convincing details. Then, they could call an employee and use those details to persuade them to transfer money into the attacker’s account. Unfortunately, you can’t rely on caller ID alone to avoid vishing. In fact, attackers have tools that let them display a fake name or number. And once you’re on the phone, a skillful social engineer can apply their powers of persuasion. The voice-to-voice, personal connection can make vishing attacks seem more believable.
Vishing in the Workplace
Many vishing calls try to defraud consumers. But some are targeted, coordinated attacks against a specific individual or organization. For example, attackers may contact several people within an organization to gather small pieces of valuable information from different sources. If one of these vishing calls is successful, it can become a stepping-stone to more criminal activities. Vishing can also be highly targeted, with attackers researching a specific person before they call. Frequent targets include managers, financial professionals, and customer service representatives, due to their access to valuable information, systems, and physical assets.
Warning Signs
Beware of callers who:
- Claim to be from a tax, government, or law enforcement agency, and use threatening language (these are almost always fraudulent)
- Request payment for products or services via gift card or wire transfer
- Ask for authentication information, such as one-time verification codes
- Present offers that seem too good to be true
Security Tips
- Avoid the call – Whenever possible, avoid answering calls from unknown numbers.
- Don’t interact with calls – If you accidentally answer a robocall, hang up. Any interaction—even to remove yourself from a call list—can lead to more robocalls.
- Terminate the call – If a call is confusing or seems suspicious, hang up