When a stranger calls: a beginner’s guide to vishing attacks and how not to fall victim

Getting a call from the tax authority isn’t something most of us look forward to. But things can get infinitely worse when the person claiming to be a revenue service representative turns out to be a scammer looking to rob you blind.

This happens way more often than you’d probably think, prompting the IRS, the US government agency responsible for collecting taxes, to issue regular warnings to taxpayers about fake calls from the Taxpayer Advocate Service demanding payment, revenue service impersonators threatening arrest, and everything in between.

According to 2022 surveys of working adults and IT professionals, almost seven in ten respondents reported having encountered vishing attacks, a 54% increase compared to 2020. This week, we’ll delve into the world of vishing scams, from why and how they happen to what strategies can prevent individuals and businesses from becoming a statistic.

First things first: what does vishing mean?

So what is vishing? A portmanteau of “voice” and “phishing,” vishing in cyber security refers to a type of social engineering technique where fraudsters use telephony and voice technology to steal personal information, such as passwords, bank account details, or money from their targets.

By definition, vishing fraud falls under the umbrella of phishing attacks. Phishing describes scams that are carried out through various means, including email, text, and calls, to persuade victims into divulging sensitive information and commit identity fraud – more on that later.

How does vishing work – and what makes vishing scams so effective?

In vishing attacks, the Center for Internet Security explains, fraudsters use phone calls or voice messages to impersonate legitimate businesses and trick victims into giving them money or sharing personal information. These calls can be made by actual people or using automated robocall technology – or both.

For example, a vishing attempt might start with the scammers leaving their target a voicemail message alerting them that their Apple Pay accounts have been suspended due to unusual activity. Then they’ll ask them to call a phone number to reach the customer service or fraud team and resolve the issue. Whoever answers will ask for their sensitive information, such as PIN codes and login credentials, to “verify their identity” and “reactivate their account.”

Of course, no legitimate business, government agency, or financial institution would ever ask people to share their username and password for online banking, social security number, or debit card details over the phone. Nor should anyone ever give out such information to an unsolicited caller, no matter who they claim to be.

So why do victims still fall for them? Let’s see the main reasons.

1. Spoofed phone numbers
   In vishing frauds, criminals often spoof phone numbers that belong to established companies or individuals to appear legitimate and prompt people to drop their guard. Earlier this year, for example, the ACCC issued a warning to alert Australian consumers to a new scam where hackers make their call appear to come from a bank’s actual phone number or send a text that pops up in the same conversation thread as genuine bank messages. The competition watchdog received 14,603 reports of bank impersonation scams in 2022 alone, resulting in more than $20 million in losses.
2. Tricks to build trust
   Another reason why vishing attacks can be so convincing is that scammers often rely on personal information they’ve gathered from other sources to disguise a vishing attack as an honest exchange, Bank of America points out. They might be able to provide details such as your address or the last four digits of your social security number, which they have looked up online or purchased on the dark web, respectively. This, combined with a friendly, polite tone and technical lingo, is used to put victims more at ease.
3. A sense of urgency
   Tricking people into acting without thinking is a key tool in vishers’ arsenal. As you’ll see in the vishing examples of the next section, they do so by triggering an emotional response in victims, such as fear, greed, curiosity, or a desire to help. In the wake of Hurricane Florence, for instance, the IRS reminded taxpayers to be wary of scammers trying to take advantage of their generosity by impersonating existing charities or making up bogus ones to solicit money or financial information via telephone and other means.

From phantom bills to prizes: vishing attack examples

It’s important to note here that vishing attacks come in all shapes and sizes. Some are carried out against private individuals, some against businesses, some scammers are motivated by a desire for money, some by a desire for retaliation. Here’s an overview of the most common examples of vishing attacks.

1. The unpaid bill
   In this classic example of vishing, fraudsters pretend to call on behalf of a government agency, more often than not the tax authority, and threaten financial penalty, business or driver’s license suspension, or even arrest or deportation, if the victim doesn’t pay up.
2. The compromised account
   Another ruse is when scammers pose to be representatives of the victim’s bank or credit card company, who call to alert them to unusual activity detected on their account. The recipient of the call will then be asked to provide personal information to verify their identity.
3. The program enrollment
   Medicare fraud in the US is a good example of this vishing attack subgenre, targeting unsuspecting seniors during the open enrollment period. The goal of these schemes is to steal personal information or people’s Medicare number, which then can be used to file bogus claims.
4. The winning of a prize or contest
   One of the oldest tricks in the book, prize scams take advantage of the fact that most of us wouldn’t say no to a freebie. Unsuspecting targets, however, can quickly go from prize winners to fraud victims, should they volunteer their personal details to “process their winnings.”
5. The technical problem
   In this case, vishers call their targets, often employees of large organizations, to offer technical help with fixing or updating their computers. Posing as IT professionals, they convince victims to share their login details on a spoofed website or worse, grant remote access to their device.

Phishing vs. smishing vs. vishing: what’s the difference?

In terms of the end goal, there isn’t much. Phishing, smishing and vishing attacks are all orchestrated to steal money or personal information from victims. How scammers go about stealing them, however, varies greatly, giving rise to an entire taxonomy of impersonation-based cyberattacks.

Phishing attacks get their name from the notion that hackers fish for random victims by using spoofed email addresses, websites or phone numbers as bait. According to the US National Institute of Standards and Technology, “phishing is a technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or reputable person.”

Carried out through text message, social media, or by phone, phishing attacks range from the Nigerian prince variety to Netflix membership reset messages that can barely be told apart from the real deal. Phishing scams where calls and voicemails are used as primary attack vectors are referred to as vishing. Smishing, or SMS phishing, relies on text messages or other popular messaging apps, such as WhatsApp, Viber, Snapchat, or Slack.

How to prevent vishing? 5 tips to avoid vishing attacks

1. Always be skeptical
   As we pointed out earlier, vishers use the guise of an emergency (e.g. account freeze) or sense of urgency (e.g. pending shipment) to manipulate victims into giving out sensitive information. This should always be a red flag, along with any details that might be too good to be true (e.g. prize winning) or simply out of place (e.g. the tax authority happily accepting gift cards as a way of settling tax debts).
2. Think – and double-check – before you act
   As a continuation of our previous point, confirm the legitimacy of any request involving money or personal details that comes from an unknown caller. If you’re suspicious, hang up the call, find the number of the organization the agent claims to have called from and get in touch with them via their official phone number. Also keep in mind that no reputable organization calls customers to ask for sensitive information.
3. Miss calls from unknown numbers
   The best way to steer clear of vishing scams is to ignore calls and voicemails from unknown numbers altogether. If you answer an unknown caller, make sure you never give out any personal information, especially login credentials, bank card details, or one-time passwords (OTP). Also, don’t reply to any prompts from a robocall as your voice might be recorded and later used for nefarious purposes.
4. Boost security through tools and training
   According to research, nearly half (47%) of businesses faced a vishing or social engineering attack in 2021, with 36% of respondents citing security awareness training as a key measure to protect against such attempts. Make vishing part of your business’s or organization’s cybersecurity training syllabus, from what red flags to watch out for to how to handle and report fraudulent calls internally or to the relevant authorities.