Phishing is an email scam in which the scammer poses as a credible source to deceive recipients into revealing sensitive information or downloading malware. Vishing is a similar “voice fishing” scam with many variations, which can fool even large organisms, with potentially catastrophic consequences.
In 2020, phishing, vishing and other scams cost more than $ 24 million to more than 241,000 victims, based solely on cases reported to the FBI, but many other cases of fraud are not reported to the authorities. According to the international cyber security company ESET, users can take measures to avoid falling victim to voice fishing.
But how do these vishing scams work? Scammers use social engineering to manipulate their victims. They present themselves as a body that you trust – eg your bank, the technology company you work with, a government agency, a technical support worker – and give you the impression that this is an urgent or worrying event. This sense of urgency or fear that they create, prevails over any physical attention or suspicion that the victim may have.
These techniques are also used in phishing emails and fake text messages (known as SMS phishing). But they may be more effective when used “live” over the phone.
Vishers – that is, fraudsters who use voice fishing techniques – have many additional tools and tactics to make their scams more successful, such as:
– Caller ID counterfeiting tools, which can be used to hide the real location of the scammer and even change phone numbers to make it appear that the call came from a trusted organization.
– Scams with a combination of different tactics, which may start with a fake SMS (smishing), a phishing email or a voicemail and encourage the user to dial a number. If the victim calls, he will speak directly to a scammer.
– Scammers can investigate and find on social media and open sources of information a wealth of information about its victims. Scammers can use this information to target specific individuals (such as employees of companies with access to privileged accounts) and thus make communication more legitimate – that is, the scammer may disclose certain personal information to the victim so that he or she can extract more information.
Such attacks are more common thanks to the massive shift to remote work during the pandemic, as warned by the FBI. An attack on Twitter, in which employees were deceived by vishers to reveal their logins, shows that even technology companies can fall victim to an attack.
Scammers use vishing to attack consumers as well. Their ultimate goal is to make money either by stealing direct bank accounts or card details, or by tricking you into giving out personal information and credentials that they can use to access these accounts.
Here are some common scams:
Technical Support Scams: In technical support scams, victims are often approached by someone pretending to be calling from a telecommunications provider or a known software or hardware vendor. Scammers will claim to have found a problem with your computer and then ask for a fee (and your card details) to fix it. Sometimes, the process involves downloading malware without the victim's knowledge.
– Sending messages to a large number of telephone numbers (Wardialing): This is the practice of sending automated voice messages to a large number of victims and usually tries to scare them into calling back – for example by claiming that victims have unpaid tax bills or other fines.
– Telemarketing: A phone call in which the scammer claims you have won a prize and a cash deposit is required before the victim can receive the prize.
– Phishing / smishing: Scams can start with a fake email or fake SMS, encouraging the user to call a number. A popular scam is an email from a “company” claiming that something is wrong with a recent order. By calling the number, the victim will eventually connect with the scammer.
To prevent voice fishing, according to ESET, there are some basic protection steps:
- Remove your phone number from the phonebook so that the number is not available to the public.
- Do not fill in your phone number on online forms (ie when shopping online).
- Be wary of receiving requests for information about your bank, personal or other sensitive information over the phone.
- Be cautious – do not enter into discussions with someone who is calling you, especially if that person asks you to confirm sensitive information.
- Never call back a number that was notified to you via voicemail. Always contact the organization that your interlocutor is supposed to represent first.
- Use Multi-Factor Authentication (MFA) on all online accounts.
- Make sure email / Internet security software is up to date and includes anti-phishing features.