Between The Hacks

View Original

Vishing

Vishing

Phone scams are almost as as old as the telephone itself. In fact, most of us have likely been the target of a vishing attack but were not familiar of the term, vishing. According to Proofpoint’s 2020 State of the Phish Report, only 25% of those polled were able to accurately define the term, vishing.

What Is Vishing?

The term, vishing is a combination of the word voice, and the word, phishing (voice + phishing = vishing).

Vishing is a form of phishing that uses voice calls rather than email, to trick a victim into divulging personal, sensitive or confidential information to an attacker. Essentially, it’s a new term for the old phone scam. Vishing scams come in all forms, from debt collection, to charities raising money, to an attacker pretending to be calling you from your bank.

CSOonline writes, “Almost all vishing attacks have a few things in common. The phone calls are initially placed via voice over IP (VoIP) services, which makes them easier for the vishers to automate some or all of the process and more difficult for victims or law enforcement to trace. And the attackers' ultimate goal is to profit from you in some way” This approach allows attackers to spoof callerID so in some cases, the call looks as if it is coming from a known or trusted phone number.

Vishing Statistics

To better understand how prevalent vishing attacks are, the following statistics were taken from the 2019 Scam Call Trends and Projections Report.

  • Over 28% of all scam calls targeted victims using personal data.

  • 75% of all scam victims were called by scammers who already had their personal information.

  • Nearly 1 in 3 people who experienced a loss of at least $1000 thought they were answering a call from a business they knew.

  • 39% of victims said the scammers knew their home address.

  • 75% of scam victims reported that the scam callers were able to verify all or part of their social security number.

Examples of Vishing

Not all vishing calls are made to the victim. In this video, you will see how a social engineer at the DefCon hacking conference was able to take over a reporter’s cell phone account (with permission) just by making a phone call.

What Can You Do To Protect Yourself?

  1. Don’t give personal, sensitive information to anyone who calls you directly unless you can absolutely verify their authenticity.

  2. If you do get a call that could be a vish, look up the phone number of the company and call them back. However, be careful because some vishers are setting up rogue sites to give false phone numbers so use extra caution when looking up the phone number.

  3. Understand that attackers may have some information about you when they call.

  4. Don’t answer calls from unfamiliar numbers.

  5. Don’t pay callers with gift cards or wire transfers. Scammers want these as payment because they are almost impossible to track and you have no way to reverse the charges. Instead, make payments with a credit card.

  6. Report vishing attacks.

    1. If you’ve lost money to a phone scam or have information about the company or scammer who called you, report it at ftc.gov/complaint.

    2. If you didn’t lose money and just want to report a call, you can use the FTC’s streamlined reporting form at donotcall.gov.