What exactly is vishing?
This question was answered on August 27, 2020. Much of the information contained herein may have changed since posting.
The term ‘vishing’ refers to ‘voice phishing’ scams, which have grown in popularity lately, since so many people are working from home during the pandemic.
Common Vishing Scams
For individuals, the most likely scam attempts will be bank-related as the scammers pose as someone from one of your financial institutions.
Credit card fraud is so common these days, we routinely have to verify a transaction, which is one of their approaches. The difference is that they’ll ask you for ‘verification’ information that banks never ask for, so pay attention.
Generally, there will be noticeable language quirks since most of them are outside of the U.S.
Other common vishing scams focus on IRS payments, prizes that you’ve ‘won’, law enforcement threats or tech support scams.
A very dangerous scam designed to thwart 2-factor authentication has scammers calling you to say they are conducting a security check. They’ll ask you for the code that was sent to your phone and if you fall for it, they can take over your account.
One of the reasons that vishing can be very convincing is that typically they’ll use spoofed caller ID numbers that look legitimate.
Latest Target: Remote Employees
Businesses and their employees have recently become bigger targets of the scammers with very sophisticated operations that the FBI recently warned about: https://bit.ly/3gA4IQm
The huge shift to work from home has created the perfect environment for targeting remote workers with very convincing blended attacks.
They start by researching companies through publically available information to create a profile of the victim that can include name, address, position, email address and how long they’ve been with the company.
They then create very convincing looking websites that may even include the company logo to convince victims that they are from the company IT department.
In many cases, they’ll tell the victim that the company is switching VPN providers and that they need to go to this new website to connect to the company network securely.
What they’re really doing is capturing the login credentials so they can access the company network and launch a ransomware attack, which will lock down critical systems and demand a ransom.
Since caller ID spoofing is so easy to do, don’t take the number that appears on your phone at face value. The scammers know that many people will let their guard down when they see a number they recognize, so make sure you process what the caller is asking you to do.
Letting calls go to voicemail can help you identify suspicious calls because the scammer has to leave a message for you to call them back. This gives you an opportunity to cross-reference the callback number or contact your IT department through other means (text or email) to verify the request.
If they claim to be from your bank, never call the number they leave on the message. You should only call the number that is on the back of your bank card to verify the information.
Company IT departments need to provide very clear security protocols and channels of communication to their remote employees to minimize the chances of being compromised by clever vishing scams.
About the author
Posted by Ken Colburn of Data Doctors on August 27, 2020