Vishing: How to Identify and Protect Against Voice Phishing Scams

Another day, another scam. Frustrating. While we do love a good portmanteau, vishing (a combination of “voice” and “phishing”) isn’t one of them. While phishing and spear phishing attacks are usually launched via email, vishing attacks that combine email and phone-based scams are on the rise. Complaints about phishing and related crimes (including vishing, smishing, and pharming) increased by 110% from 2019 to 2020, according to the FBI’s Internet Crime Complaint Center (IC3).

In this article, we’ll cover everything you need to know about vishing, including examples, how to prevent voice phishing, and what to do if you’re a victim of a vishing attack.

Vishing is a type of phishing scam in which cybercriminals, posing as trusted sources, make unsolicited phone calls to attain personal information they can use to commit fraud, hijack identities, and steal money.

Alternatively, scammers can send phishing emails that include phone numbers that lure victims to follow up on the email’s phony (no pun intended) content.

Vishing phone calls fool victims by using 800-numbers, called ID spoofing, or VoIP technology to impersonate trusted organizations or people. Once a scammer gets you on the phone, they often use social engineering techniques to convince you to share personal details like passwords and credit card numbers.

While vishing attacks can target anyone, they are often focused on the elderly and employees who regularly deal with people outside their organization.

In a nutshell, the mediums cybercriminals use in vishing, phishing, and smishing may be different. Still, their goals are the same: taking over accounts, committing fraud, or stealing from unsuspecting individuals or businesses.

Here’s how the three methods differ:

• Vishing: Phone call scams that compel victims to share sensitive information verbally

• Phishing: Email scams that entice victims to click links that download malware or visit fake websites (pharming)

• Smishing: Text message scams that also tempt victims to click malicious links or visit fake, redirected websites

Here are six examples of common vishing attacks:

1. IRS Tax Scam

IRS vishing attacks usually involve a prerecorded message explaining that there’s an issue with your tax return and that you should call the IRS (on a number they provide, of course) immediately. In addition, these messages are typically accompanied by a warning that a warrant for your arrest will be issued if you fail to return the call.

The IRS is a favored impersonation option for cybercriminals in both email and voice-based scams. Leveraging the IRS name and context induces a sense of trust as well as urgency in scam victims.

2. Tech Support Attacks

In tech support vishing attacks, scammers impersonate personnel from companies like Apple, Microsoft, and Google to report suspicious activity on your online account. In addition, they often ask for an email address to send software updates, which turn out to be malware downloads.

In 2020, the FBI IC3 received 15,421 complaints related to Tech Support Fraud from victims in 60 countries. The losses amounted to over $146 million, a 171% increase over 2019 losses.

3. Bank Impersonation Scam

In bank impersonation scams, scammers impersonate credit card companies, banks, and other financial institutions to access your accounts. The fraudsters tell you there’s been suspicious activity and ask you to confirm your account information, along with your login credentials, to “fix” the problem.

4. Social Security or Medicare Scam

Senior citizens are frequent targets of cybercriminals due to their inexperience with phishing scams. Scammers impersonate Social Security or Medicare representatives to attain account details that enable them to order a new Social Security number in their name.

In addition, many older adults prefer telephones over email or text messages, falling victim to vishing scams more often than email phishing or smishing attempts.

When looking at cybercrime victims by age group, almost 22% of all complaints received by the FBI in 2020 involved victims over the age of 60, with reported losses in excess of $966 million.

Note: If you have friends or family members whom you think are susceptible to these types of scams, tell them that the IRS, Social Security Administration, or Medicare will never threaten them or call them to request personal information.

Federal agencies will never initiate contact with you by phone, email, text, or social media to request personal or financial information. Never.

5. Delivery Scams

Online shopping has become so ubiquitous that it’s hard for anyone to remember what they have (or haven’t) ordered, and scammers know this. So fraudsters have posed as being from Amazon, alerting shoppers about shipping discrepancies and giving them a phone number to call if they have questions about their (fake) orders.

If a customer called the number, they could speak with a live person who pretended to work for Amazon and proceeded to extract personal information from these unwitting victims. With peaks of online shopping activity like Prime Day being a regular part of our lives now, it’s vital to stay vigilant of these shopping-based vishing scams.

6. Loan and Investment Scams

When an offer sounds too good to be true, it usually is. So always be skeptical of any investment opportunity that promises exorbitant returns or loans that pay off debts unusually quickly.

Here are some DOs and DON’Ts from USA.gov on how to protect yourself from loan and investment scams:

DO ask questions about risk and costs.

DON’T give in to hard sells and pressure tactics.

DO get details in writing and do your own research.

DON’T agree to invest because the caller seems trustworthy or has an impressive title.

DO investigate where the investment and/or investment “professional” is registered.

DON’T be swayed by “risk-free” investments or “guaranteed” earnings. They do not exist.

When vishing is perpetrated via phishing emails, how do these emails reach their intended victims? There are three reasons for this:

1. Email Contained No Links

It’s easy for security tools to catch emails containing malicious links. However, a vishing email will ask the recipient to call, eliminating the need to include a detectable link. There will be a heavy emphasis placed on making the call vs. clicking CTAs, which often lead nowhere or are not even clickable.

2. Email Was From an “Authentic” Sender

Even impersonated email accounts can get through authentication checks (like DKIM, SPF, and DMARC) if sent from a personal email address, like a Gmail account.

3. Email Security Tools Were Ineffective

When an email passes the filters above, it is often deemed low risk by email security tools like Microsoft Exchange Online Protection (EOP) and delivered to inboxes without a hitch. This is a big problem, but also very common.

Unlike URLs, which are tracked and shared as threat intelligence by the security community, phone numbers are not a structured or scalable Indicator of Compromise that can be tracked. This further increases the chances for vishing attacks to slip past static or deterministic security controls.

Here are six things you can do to make your business safe from vishing attacks:

1. Incorporate Additional Tools Into Your Email Security Strategy

For better protection against phishing, vishing, or Business Email Compromise (BEC) attacks, augmenting your built-in email security with additional security layers is always a good idea.

2. Don’t Talk to Strangers (Or Robots)

Here are some quick tips on answering calls:

• Avoid answering calls from numbers you can’t identify. When in doubt, let the call go to voicemail and then listen to their message carefully. Caller IDs and phone numbers can be spoofed, creating a false sense of security.

• If you’ve answered a call that you deem suspicious, hang up and block the number.

• Never call a number back. Look up phone numbers from authorized websites, credit cards, or account statements.

• Be wary of responding to voice prompts that ask you to press buttons or respond to yes or no questions. Scammers often identify potential targets for more robocalls when someone actively participates in their charades.

3. Pay Attention To Social Engineering Clues

Remain calm when someone tries to use scare and pressure tactics. Scammers use deadlines, intimidation, and a sense of urgency to their advantage because they work!

If you’re being threatened with account suspension, arrest, or demands for immediate payment, proceed cautiously and do not reveal any sensitive information.

On the other hand, scammers over the phone can also pretend to be polite, affable, and confidence-trick their way into your data and bank account. If you think you’re divulging too much information to an unknown or suspicious person over the phone, be cautious and hang up no matter how polite you think they’re being.

If you’re responding to a potential vishing email, inspect the following for irregularities:

• Sender name

• Sender email address

• Language and tone used within the email

• Functionality of CTAs

4. Never Share Sensitive Information Over The Phone

Be suspicious of any caller who asks for account numbers, PINs, login credentials, or other sensitive information over the phone, no matter how “official” or confident they sound. Listen to your gut: if you suspect you’re on a vishing call, hang up. It’s better to be safe than sorry.

5. Ask for Proof of Identity

Don’t be afraid to ask someone to prove their identity. If a caller is from a legitimate organization, they will have no issue confirming where they’re calling from, who they are, or why they’re contacting you.

Take their name and call them back on a number you’ve obtained from an official website or corporate documents rather than a number they’ve provided.

6. Train, Train, Train

Take the time to give your employees security awareness training on the vishing prevention steps discussed here, and do it regularly. As attacks increase in variety and sophistication, you cannot afford to let your employees be ignorant of the latest cyber threats.

If you think you’ve given sensitive information to a scammer, what should you do?

• First, remain calm.

• File a complaint with The Federal Trade Commission, the FBI’s Internet Crime Complaint Center (IC3), and call the National Do Not Call Registry at (888) 382-1222.

• Change passwords on your accounts.

• Notify all banks, credit card companies, and government agencies you do business with, and then carefully monitor your financial transactions.

Vishing — and cybercrime in general — will continue to exploit the public as long as fraudsters can get away with tricking innocent people. However, taking the time to identify and deal with vishing attempts helps reduce their success rates and increase your peace of mind.