Nearly 1 in 3 Americans have fallen victims to a phone scam. According to a report from Truecaller, 59.4 million Americans have lost a total of $29.8 billion to phone scams in the last year.
Cybercriminals are getting sophisticated, they equip themselves with the latest technologies and leverage social engineering tactics to swindle their unsuspecting victims into becoming a vishing victim.
Short for voice phishing, a person disguises themselves on the telephone to steal sensitive information from victims. Cybercriminals use clever social engineering tactics to persuade the victims to give up their private information.
In most vishing scams, callers will pretend to be calling from the victim’s bank, tax department, government office, and so on.
The victim will be led to believe that they are doing the right thing since the language used by the cybercriminal is convincing and laced with threats that make the former feel as if they have no option but to give up the information.
Cybercriminals attack both individuals and organizations. They use the CEO’s identity and will call an employee to persuade them to transfer funds to a particular account, while making them believe that the transfer was made at the behest of the CEO.
Cisco’s 2021 Cybersecurity Threat Trends report says that phishing accounts for more than 90% of data breaches.
Vishing, smishing, and pharming are considered the most prevalent threats. Vishing scams are becoming mainstream, and they are incredibly easy to orchestrate. This is what makes vishing attacks a terrifying affair.
The main objective of a vishing attack is to gain access to sensitive financial information or the personal data of an individual. Vishing attacks are easier to commit than in-person attacks. Why?
Because in a face-to-face attack, the chances of verifying the authenticity of the other person increase. You can ask the person to show their ID cards, verification badges, or any access cards.
That’s exactly why vishing attacks are easier to perform, as the scammer can use a lot of methods to con the victim.
You can identify a vishing scam based on the context of the call. The communication can be assumed to be like this:
Most of us know someone who has been duped in this way. On average, Americans receive almost 31 spam calls per user per month. These are worrying numbers as the livelihoods of people are at stake here.
Let us look at some of the most common vishing techniques so that one can identify a vishing attack if they receive one.
VoIP technology makes the creation of fake numbers easy. Cybercriminals can create fake numbers that are difficult to track.
They are made to appear local, or even come with a 1-800 prefix. Sophisticated cybercriminals will also create their VoIP numbers in such a way that they look as if they are coming from a legitimate government account or their bank.
Just like VoIP-enabled vishing, cybercriminals use fake phone numbers by spoofing the caller ID. They pretend to be a caller from the government, the IRS, the police department, or a fraud-investigating agency.
Since the modus operandi of these criminals usually entails making them look as if they are a figure of authority so that the victims can share their private information, spoofing caller ID to make the number look legitimate is pivotal.
In this, hundreds or thousands of automated calls are made to hundreds or thousands of numbers. Their intended victim may get a recording threatening them to call back the scammers.
The vishers will say that they are calling on behalf of the tax department or the victim’s bank. Wardialing usually focuses on a specific area code.
The attackers collect the phone numbers by digging into the dumpsters behind banks and other organizations. Using information gathered from this exercise, they deliver a targeted vishing attack against the victim.
|Cyvatar detects and fixes vulnerabilities before attacks reach networks.|
See what Cyvatar’s Cyber Prevention & Cloud plan can do for your business.
These are some of the ways in which vishing attacks take place. Being aware of this helps people from falling prey to such scams.
The victim will receive a pre-recorded message. They will be told that there is something wrong with your tax return, and if they don’t call back immediately, an arrest warrant will be issued.
The victims get an offer to invest in an ‘exciting’ project or obtain a loan at a lower interest rate.
Since these kinds of transactions require financial information, the vishers convince the victim to give up personal financial information.
If the visher convinces the victim that it is a genuine offer, then the latter wouldn’t hesitate to share information.
Unfortunately, most vishing victims are the elderly. Their operation involves using the victim’s condition to con them into giving up their personal data. In return for their cooperation, they get a promise for a discount or a refund.
Since the vishers are hoping to gain access to the bank accounts of their victims, the smartest way to con them would be to pose as an official from the bank.
By using the bank’s routing number (easily found online) and the victim’s account number, the attacker can transfer funds to their account. All they need is the credit card number, expiry date, and security code to make purchases online or over the phone.
It is not easy to recognize a vishing scam as the victims are not made to feel as if they are being conned. But if you are aware about how to spot a vishing scam, you might be able to save yourself.
No federal agency will contact you directly unless you’ve requested contact and will never ask you for your financial information.
In fact, anyone who calls you asking for your personal or financial information is a scammer.
The caller will pretend that they are doing an audit or that they have to verify your information for ‘official’ purposes.
They will ask you to confirm your date of birth, name, address, bank account information, social security number, and other personal-identifying information(PII).
To make themselves look legit, they will already possess some of this information and share it with you. Their objective is to get the rest of the information.
Vishers use threats of an impending arrest if you do not comply with their demands. They will say that you have not paid your taxes or use fear to persuade you to do something.
If you ever get a call like this, keep yourself calm and hang up to investigate if the call was from a genuine source. It is most likely that it was a scam.
Let us look at commonly used vishing messages:
While it is important that everyone knows how to spot a vishing attack, it is even more pertinent that one takes the steps to prevent it from happening.
It is free to add your personal or home number to this registry. By doing so, you will stop getting unsolicited calls from telemarketers.
When you receive an automated message that asks you to press buttons on your phone, do not do it.
Cybercriminals will use this technique to identify people who are susceptible to such targeting. They may even record your voice and use it to navigate voice-automated phone menus.
Do not hesitate to ask the caller to identify themselves. Alternatively, you can also use the internet to search for the caller, the company they represent and ask them for any other information that can be used to verify their identity.
If you receive a call from an unknown person, do not offer them any personal or confidential information.
Even information as simple as the name of your high school could be a security question that your bank asks to verify your identity. Scammers will try to sound nice to get access to your information, do not give in.
If you think that the caller might not be from a trustworthy source, then hang up immediately. You can also check for the correct number of the organization they claimed to be from and cross-verify it.
Listen to the caller carefully and analyze whether they are using social engineering techniques such as using urgency, punishment, or fear to make you give up critical information.
Another simple but highly effective step to not becoming a phishing victim is to avoid responding to any unsolicited emails, outreach messages, or marketing communications.
If the caller says that they are giving you a free prize, ask them for proof by asking for information to verify the same.
Make sure you ratify the identity of the caller before you proceed to give even the tiniest of information.
Falling prey to a vishing scam can be devastating mentally and will even result in loss of resources, usually money. Educate yourself, your loved ones, and colleagues as to how they can stay safe from vishing scams.
If you have shared your personal or financial information recently, and you suspect that it might be a vishing call, then inform your financial institution or the government agencies.
There are multiple agencies, such as the Federal Trade Commission (FTC), Better Business Bureau (BBB), and the Internet Crime Complaint Center (IC3) that are working against vishing scammers.
If the vishing attacks have happened in an organization, then create a procedure where employees are asked to report the calls. The report should include the following information:
Create a plan where your call center staff educate the customers about the plan of action they could follow when they receive such calls.
Let the customers know that the bank will never call, text, or email, asking them to provide their debit or credit card information.
If they receive such calls, they should immediately hang up. Remind them that one can easily spoof caller IDs.
Ask the customers to identify the area codes that they were requested to call. Inform the local FBI authorities or report it online so that they will handle it.
FBI authorities can get the phone line shut down immediately, thereby preventing someone else from being defrauded.
You can also report the vishing calls to the Federal Trade Commission online.
Why bother recovering when you can prevent vishing attacks in the first place? Cyvatar was built on the concept of preventing attacks before they even hurt you.
The best way to prevent vishing attacks from succeeding is to avoid sharing sensitive information over the phone. However, with Cyvatar’s end-to-end prevention, you can stop the vishing attacks even before they happen.
Cyvatar protects your endpoints, preventing any data exfiltration, ensuring the phone numbers of clients and employees remain safe within each endpoint of your network. This helps prevent the attackers from getting the phone numbers needed to launch the vishing attack.
Should things go south, Cyvatar and Cysurance’s cybersecurity guarantee has your back and covers up to $100,000 in breach-related costs.
Circa Las Vegas
Thurs. Aug 5th
Cybersecurity Reunion Pool Party at BlackHat 2021