Vishing is social engineering that uses voice communications to get personal or sensitive financial information. Stated another way, vishing or voice phishing is criminal fraud perpetrated via phone. Vishing is a combination of the words ‘voice’ and ‘phishing.’ Criminals use vishing to get sensitive personal or financial information that can defraud you or your company. The motivation is often money, fraudulently garnered at your expense.
Vishing schemes often target information used to commit fraud or financial crimes with your identity or that of your company. Criminals often seek sensitive financial information such as:
- Account Numbers
- Credit Card Information
- Banking Information
- Banking PIN
Characteristics of a Vishing Attempt
Cybercriminals use much the same psychology as legitimate brands to gain your trust. Often the vishing scammer will sound official, professional and courteous. They may share some information that is actually valid for you or your organization. Often, they will use a false sense of urgency to get you to share the sensitive information they seek. A direct urgent ask for personal or sensitive financial information is a dead giveaway for vishing.
How to Spot & Avoid Vishing
Don’t trust any incoming phone communications (of any kind) for sharing any form of sensitive financial or personal information. Caller ID numbers can be easily spoofed (falsified) and should not be trusted. As a general rule, simply do not trust incoming phone communications to give out any sensitive personal or financial information.
If you get a call from an organization you do business with, let them know you do not share such information over the phone. Do not trust any callback numbers given in an incoming communication. Instead, go to a trustworthy source such as your bill statements or to the official company website to get the valid current phone number. Then call the company directly.
Sensitive Information Request
If the request you are receiving in an incoming call is for sensitive personal or financial information, simply declined to provide any. Hang up & block the number. Requests for such information betray a telltale sign of a vishing attempt.
Don’t Answer Suspected Vishing
If your caller ID shows an unknown number, or if the call is from an organization you do not do business with, simply do not answer the call. If a fraudulent entity attempts to repeatedly call; block the number.
Beware of Deepfakes
Computer-generated audio has become highly advanced. This deep fake technology can create audio that sounds like a person you know and trust and give the impression of the legitimate communication. The best defense against this is to not trust any incoming communication at all.
If you answer a call and you sense something is fishy, simply hang up. Do not give the scammer time to attempt to social engineer you into divulging any sensitive information. If you receive a call from an IVR (Interactive Voice Response) system, don’t answer any prompts or dial any numbers. The best course of action is to hang up.
As a rule, do not trust any incoming phone communications. They can be easily spoofed over VoIP networks and cannot be trusted. Go directly to your company billing statements with that organization or to their official website for valid contact information. Don’t share sensitive personal or financial information unless you have initiated the outgoing call to the official company number listed on their website.
More recent technologies such as STIR/SHAKEN protocol aim to combat caller ID spoofing over public telephone networks. Most enterprise grade VoIP providers and mobile providers already support STIR/SHAKEN protocol or are currently rolling it out. Although this is a great step forward, technology is never a panacea to security concerns. People and how they behave are your greatest deterrent to vishing. Information security always requires a holistic and layered approach. End users in your organization need ongoing security awareness training to defend against threats like voice phishing. The prevalence of vishing merely compounds the need for consistent end user security training. Stay safe and when in doubt, hang up!