Scamming has become a routine part of modern life. Whether at work or home, your employees are bombarded with advertisements, malicious emails, and links infected with viruses and malware. From the CEO to hourly employees and contractors, you’re depending on everyone connected to your business to protect sensitive information.
Testing your employees is one of the most important parts of designing an effective security awareness training program for your organization. Before you can do that, you need to understand the threats that are most likely to become problems for your company. That means understanding what a vishing attack is and how they work.
This guide will introduce you to vishing, including detailed examples and proven techniques to prevent scammers from vishing you and your employees. Use this information to educate everyone working for your company, preparing them to recognize an attack when they encounter one.
What is Vishing?
Vishing is a form of a phishing scam that utilizes voice telephone messages. It’s also known as voice phishing or voice over internet protocol (VoIP) phishing. Phishing attacks are designed to “fish” for information that is later used to commit further crimes like identity theft or the illegal use of bank cards, insurance information, and other resources.
Vishing Vs. Phishing
A fisherman throws his nets out into the ocean and hopes to pull them back in with something of value as a reward. Phishing attacks and vishing calls do the same. However, with vishing, cybercriminals send voice messages instead of emails in hopes of obtaining private information. Sometimes those messages are live phone calls with a real person on the line, but voicemail messages and text messages sent to hundreds or thousands of people at once are becoming more and more common. Keep in mind this could be an automated message or voice call from a real person.
Most people have become accustomed to hearing about hackers gaining access to large databases of email addresses, phone numbers, and social security numbers through phishing. But vishing is more personal because they target individuals and play on their trust and human emotions to convince them that it’s okay to give out sensitive information.
When a vishing scam is successful, there is always one person who doesn’t realize what’s happening until it’s too late. Protecting your organization means informing everyone with access to sensitive information so that they don’t become the next victim of a scam.
Why is Vishing So Dangerous?
Vishing is dangerous for several reasons:
- It gives criminals access to sensitive, personal, and company information. That information is then used to commit a variety of crimes, ranging from identity theft to financial theft. For a company, it could mean a serious leak of proprietary information.
- Scammers utilized sophisticated psychological manipulations that convince smart people to willingly give out information that they would otherwise do anything to protect. They aren’t just gaining access to a database of information. They’re convincing real humans to give out information to what they believe are trustworthy sources.
- Vishing undermines consumer trust. Most attackers use the names of respected businesses. Often, the caller claims to be from a recognizable bank or large organization. This makes people believe they’re giving information to a legitimate business, and they become less trusting of phone calls and voicemail messages once they’re aware of this category of scams. When the scam is complete, some consumers may believe their bank or employer took advantage of them. It isn’t until later that they realize the truth.
- Sophisticated technology is making it more and more difficult to distinguish a vishing attack from legitimate communication coming from a company. Victims are often pressured with powerful social engineering tactics to make fast decisions based on limited information, and even well-educated, alert professionals can become victims under the right circumstances. Giving criminals access to their bank accounts and personal or financial information.
Scammers no longer need to hack into your computer system to gain valuable information about your business, your employees, or your customers. They can simply hack into the mind of an employee with access to the information they want to retrieve. Vishing rests on manipulation and trickery to do just that.
Your strongest defense is a line of well-informed employees who remain alert while at work and home. That starts by understanding vishing yourself and then continues with the implementation of strong security awareness training that reaches employees at every level. While learning to protect critical information at work, they will also become less likely victims of vishing attacks designed to steal their personal information outside of work.
You can’t fully understand vishing without seeing the techniques often used to pull off a successful scam. Next, we’ll highlight some of the most common tactics used and give some detailed examples so that you can see vishing in action.
Vishing Scam Techniques and Tactics
Everyone thinks they’re smarter than any scammer. It’s hard to imagine that you or someone you trust at work would willingly part with sensitive information, but it happens every day. To understand how and why it happens, you have to understand the techniques and tactics used by vishing scammers to steal information. This overview will introduce you to some of the more common techniques.
Impersonation & Reputation Theft
Most vishing scammers pretend they’re representatives of a trusted company. Banking institutions and large employers are commonly used. Technology makes it easy to manipulate information that shows on caller ID. Caller ID spoofing is a popular tactic used by cybercriminals as they are able to hide behind fake numbers by using a spoofed caller ID. Your phone may say that you’re receiving a call from your bank or credit card company when in reality, the call is coming from a scammer in another country. Vishing scammers often hide behind the legitimate reputation of known businesses. They gain trust through deception, and it’s too late before most victims realize that they were never speaking to a legitimate company representative.
Trends and Holidays
Vishing attacks often take advantage of social trends, holidays, and important dates to catch victims with their guards down. Tax time is perfect for an IRS tax scam. Charity donation scams pick up during the holiday season at the end of the year. Even the pandemic proved lucrative for scammers willing to take advantage of public panic and fear.
False Employer Requests
Vishing scammers will do their research prior to contacting victims. They will use free online resources to determine the name of a CEO or another trusted company representative. They can then contact employees and pretend that they are that CEO or representative. The scammers then request that the employees transfer funds, provide sensitive information, pay a fraudulent invoice, or take other actions on behalf of the company.
If an employee believes that they are talking to their CEO or manager, they may comply with these requests without reporting it to anyone else. It may take weeks or months before the aftermath of the scam is detected and consequences are realized.
Fake Bills or Fines
Some vishing attacks convince consumers that they have an outstanding debt or bill that they need to pay right away. Scammers will play on fear to get smart people to give out financial information in order to avoid severe consequences. They may threaten to report to the police and have the victim arrested or have the debt taken directly from their paycheck.
Some people will pick up on these scams when the person on the other end of the line demands they make payment through gift cards or wire transfers that aren’t used by legitimate businesses for bill collection. Some still go through with paying the fraudulent bill or fine because they’re worried about the threats the scammer is making.
Since there are ways that victims can uncover a scam before complying with orders, vishing scammers try to create an intense sense of urgency. They play on the victim’s emotions to make them think that they must act right away to avoid unwanted consequences. They don’t give the victim time to think rationally.
Email or Text Phishing to Phone Calls
Some vishing scams start with deceptive emails or text messages. The victim believes the message is coming from their employer, bank, or another trusted source. It alerts them to a problem with their account or an urgent issue that they need to address right away. It's always smart to never engage with text messages from a phone number you don't recognize. Especially when a link or file is involved.
When the scammer then makes contact through voicemail or a live phone call, it feels more legitimate. The victim has already been primed to believe that there is an issue they need to address. They’re less likely to question the phone call if they believe it’s connected to a legitimate email or text message.
Examples of Vishing Attacks
It’s time to see vishing in action! This overview will give examples of common vishing scams. The more examples you read about, the more likely you are to recognize a vishing attack when one comes your way. Scammers are always coming up with new ideas, so stay on alert for similar scams that might not fit these examples exactly.
App Access Vishing Attack
Some of the most successful vishing scams focus on gaining access to mobile apps that contain sensitive personal information. Many apps now send verification codes to a user’s phone before providing access. Anyone who receives that code can access the account through the app. Scammers now place phone calls pretending to represent the app, convincing victims that they need to provide the code to verify their identity and clear up a problem that could have serious consequences.
This type of scam happens routinely for users trying to make money with apps like Instacart. An Instacart shopper will receive a phone call from someone stating they are a company representative. They will tell the shopper that there was a problem with their last delivery. The person on the phone is willing to sort the problem out for them, but first, they must provide the code that is sent to their phone to verify their identity.
Once the shopper provides that code, the scammer logs into their Instacart shopper account and changes the password. They now have access to the shopper’s account and earnings. They then accept orders that they never intend to deliver to the customer. Instead, they add gift cards to the order, checkout at the store, and keep the merchandise.
Impersonation Vishing Scams
Many vishing attacks are designed to make victims think they’re speaking to a representative of government agencies, their bank, or a trusted business. This can include the Internal Revenue Service (IRS) or Social Security Administration (SSA). The caller informs them of a serious issue with their account and asks them to verify their account numbers, address, name, social security number, and other information, enabling them to gain access to their most personal information. The promise is that they will fix the problem once they verify the victim’s identity.
The personal details obtained through these types of scams, such as financial account information and bank account details, are often used to commit crimes days or even months in the future. That personal information is enough to allow someone to secure a credit card account, loan, and other financial accounts in the victim’s name. Using this to commit identity fraud and causing a complete account takeover. They may also use it to commit insurance fraud. They may also simply try to access the victim’s bank account to steal money.
Tech Support Vishing Scams
Scammers may pretend they’re IT professionals working with Google, Apple, Microsoft, or other legitimate tech companies. They state that there is a problem with the victim’s account and must verify personal information before they can provide the needed technical support. Once victims provide the information, the scammer can either access their accounts online or use the information for other crimes.
Another variation is to offer assistance in installing updated software that will fix a problem on the victim’s computer or phone. They may state that there is a known vulnerability and the victim’s computer was flagged as being vulnerable. The scammer sends a link to the victim’s email or phone that will install software once clicked. The software will include malware or spyware that collects information from the device after installation.
Medical Vishing Scams
Some vishing scams request insurance or Medicare information. Elderly victims are often targeted because scammers want to utilize their Medicare benefits illegally or use Medicare information to obtain other personal info. Similar scams may try to gain medical insurance information from younger people with valuable insurance through their employers.
These scams start with a caller stating that they’re Medicare or insurance company representatives. They ask the victim to verify their insurance card information, birthdate, phone number, address and could even go as far as asking for the victim's social security number.
How to Prevent Vishing
You can prevent many vishing scams by doing just one thing. Make it a rule that you do not reveal any sensitive or private information or answer questions when someone calls you unexpectedly. If you believe you’re receiving a phone call from your bank or any financial institution, hang up and call the bank directly on a phone number that you know is legitimate.
The same goes for any other company that may call you. Once you state that you’re going to hang up and call the caller back at the regular phone number, they will insist on giving you a different number of asking you not to call the company at all. That is an instant verification that you are talking to a scammer.
If you feel yourself getting emotionally worked up during a phone call, then you’re likely talking to a scammer who has mastered the art of intimidation through emotion. You can avoid many scams by hanging up and giving yourself space from the phone call. That gives you the opportunity to call the company in question on a valid phone number to verify the phone call. In most cases, you will find that the company has no record of ever calling you.
Another sure-fire way to prevent vishing attacks is not to answer calls from numbers you don't recognize.
To protect your company from a vishing attack and other related attacks, you need to teach employees at all levels what to look for. This ensures they're equipped with the proper knowledge and tools to prevent these types of scams.
Book a demo today to learn more about simulations and effective employee security awareness training.