You would think, being vigilant of cyber criminals that are trying to exploit us via phishing emails were enough, now we have to protect ourselves from Vishing attacks. Vishing, is just a new take on the old scam of phishing.
In one version of vishing, you will receive the typical phishing email, but instead of giving you instructions to click on a link or directing you to a fake/malicious Internet site, you’re given a “Customer Service” phone number with instructions to call the number and provide the requested information over the phone. Those who call the phone number, which is a Voice over Internet Protocol (VoIP) account and not an actual, legitimate business or financial institution, are led through a series of voice-prompted menus that ask for your personal data, such as your account number, password, and other critical confidential information.
In another version, you will be contacted over the phone instead of by email. The call could be from a “live” person or a recorded message asking you to confirm your personal information to validate or protect your account. Oftentimes, the criminals already have some personal information about you, such as your name and your account or credit card number. This creates a false sense of security, making you put your guard down and answering their questions more willingly. These types of calls also come from VoIP accounts.
Nowadays, Vishing Scams are on the rise. Here’s why:
- VoIP service is inexpensive, especially for long-distance calls, making it cheap to make fake calls.
- Because it’s web-based, criminals can use software programs to create phony automated customer service lines.
In the last few months, I received a voice-recorded phone call from “my bank” saying they received an online request from me to withdraw a large sum of money from my bank account. They informed me, that if the request was not made by me, to call the Customer Service number provided in the message, state my bank account number and password and they would stop the transaction immediately. And, believe me, they had me in a panic and had me convinced this was legitimate. For a second there, I was even glad my bank was looking out for me. But rather than calling the Customer Service number that was provided in the voice recorded message, I called my bank directly and realized I was Vished!
Criminals can even mask the number they are calling from, thwarting caller ID. And in some cases, VoIP numbers can belong to a legitimate subscriber whose number has been hacked.
Tips on how you can protect yourself against Vishing
- Refrain from giving out personal information when you receive a call. In uncertain situations, always ask to call them back. When you do, contact the company directly and ask an employee to verify the information requested. Doing so also informs the company of a fraudulent activity they may not know about. Hang up if you’re unsure.
- Check for “https://” in the address bar of all commerce websites. Always look for proper encryption and certification, especially when directed to the website by someone over an email or phone conversation.
- Review your account statements on a regular basis to be sure all transactions were made by you.
- Ensure that your preferred email-ID or mobile number is registered with the financial institution for receiving transaction alerts sent by the institution. If you find your registered
mobile number is inactive or if you are unable to make any calls, contact your telecom service provider immediately to understand the reason.
- Immediately call your financial institution or healthcare organization for any unusual transactions or beneficiaries added to your account.
I’m guessing you’re too savvy to fall for a vishing attack, but are you confident of your employees? Because if even one employee falls victim to vishing, your entire organization may be impacted.
PhishPro can help test your end-users with simulated interactive voice response (IVR) attacks over the phone using automatic dialer and also manual phone callers. Having all employees step through security awareness training and sending them simulated phishing and vishing attacks, is an essential element of your defense-in-depth. For more details, please visit www.phishpro.com.