Social Engineering: What is Vishing?
Vishing is a combination of the word “voice” and the word “phishing”. It refers to phishing scams done over the phone. Individuals are tricked into revealing critical financial or personal information. Vishing works like phishing but does not always occur over the Internet and is carried out using voice technology.
Commonly considered techniques:
Skilled scammers/hackers have everything in place to sound legitimate:
- Right information: they already have your name, address, phone number and bank details. In fact, all the information you would expect a genuine caller to have.
- Urgency: You are made to believe your money is in danger and that you have to act quickly. Fear often leads people into acting without thinking.
- Phone skills: The phone number appears as if it’s coming from somewhere else (i.e. spoofing). So, you pick up the phone already believing the caller as the number seems convincing.
- Business atmosphere: You hear a lot of background noise so it sounds like a call center rather than a guy in a basement. The scammers either do have a call center, or are playing sound effects.
If the victim falls for the scam and provides personal information, he or she mostly ends up becoming a victim of identity theft.
Real life scenario #1
You come home from work and check your voice mail to see if anybody has called. You play your voicemail and hear the following message:
“Hello, this is Eva at ABC Telecommunications Company. I am calling you to confirm the closing of your account. Both internet and landline connectivity to your address will be terminated tomorrow morning, May 6, at 8:00 AM. Our records indicate that you have an outstanding balance. Please call our customer support at 00-… to settle the final bill payment.”
This is done to create urgency and push you to grab your phone and call the given number. The ABC Telecommunications Company comes up, giving you an automated way to avoid the closure of your account. You are asked to put in your social security or National ID number and the credit card number on your account to verify that you are indeed the claimed owner of your account. After you enter both numbers, the line goes dead.
Real life scenario #2
You’re watching TV in your living room at 8:00 pm and the phone rings. You check your caller ID and it is your bank. You pick up the phone.
“Hello, this is XYZ bank. In the past hour there have been three unsuccessful attempts to access your account. To secure your account and protect your private information, ABC bank has locked your account. We are committed to making sure that your online transactions are secure. Please call our Security department at 1-800-Blah-Blah-Blah.”
You know that you have not made “three unsuccessful attempts to access your account in the past hour”; instead you have been sitting in your living room watching TV. Again, the purpose here is to create panic and push you to call the given number. You are greeted with something like this:
“Thank you for calling XYZ bank. Your call is important to us and we record it for quality assurance purposes. To direct you to the appropriate department, please follow our menu.”
- For Checking or Savings, press 1.
- Activate a debit card, press 2.
- Stop a payment of a check, press 3.
- To connect to a department, press 4.
- For all other inquiries, press 0.
You press 4 and the automated system instructs you to identify yourself.
“The security of our customers is important to us. To proceed further, we require you to authenticate your identity before proceeding. Please type your bank account number, followed by the pound sign.”
You enter your bank account number and hear the next prompt:
“Thank you. Now please type your Social Security or National ID number, followed by the pound sign.”
You enter your Social Security or National ID number and again receive a prompt from the automated system:
“Thank you. Now please type your PIN, followed by the pound sign.”
You enter your PIN and hear the next prompt:
“Thank you.” . The line dies or – even worse – you are transferred to the real XYZ bank, talk to an agent, and find out that you are a victim of a vishing attack.
How and why is it so easy?
Vishing attacks are hard to trace, because they ‘mostly’ use VoIP (Voice over Internet Protocol), which means they start and end a call on a computer that can be located anywhere in the world.
And how does your telecommunications company or bank come up on your caller ID when it is actually a number from an attacker? They “spoof” it. There are services out there, like Spoofcard, Burner (free mobile app), .. that allow you to “spoof” your number so that whoever you’re calling doesn’t know that it’s you. You can display any number you want. This allows vishing attacks to look perfectly legitimate on a person’s Caller ID. Spoofing numbers is sometimes legal (fighting against spam, privacy, etc) and sometimes not (online fraud, ..etc) – depending on regional laws and regulations.
How to protect yourself from Vishing?
- Never call the number given to you or displayed on your Caller ID (unless it’s a number from a friend, relative, etc.). Take the time to look up the legitimate number and then call it.
- Never give out any personal information – to anyone! This actually goes for any type of request for personal information. Just FYI: Legitimate companies do not ask for your social security number, national ID numbers, credit card numbers OR PIN’s via phone.
- Hang up if you get a suspicious call. Before calling back the legitime number of the company, do a bit of research on internet. Most probably other victims will already have published information about it.
You can also report Identity theft at: https://www.identitytheft.gov/
Above all, rely on common sense. Know the warning signs and think before you act!
Follow our Email security and privacy awareness course for more details on how to better protect yourself from today’s emerging cyber-threats!