Vishing is a phone scam type of phishing attack. The word “vishing” comes from “voice” and “phishing”. Phishing scams are most often done through email, named by the idea that a fraudster is dangling a hook or a lure to get unsuspecting victims to reveal sensitive information, like usernames, passwords, or credit card details, through an email response or by clicking a link and entering the data on a website. In a vishing attack, a scammer uses a phone call to target their victims and steal information, money, or both.
Vishing can also be a type of social engineering scam — that is, the criminal uses specific or “vague enough to be real” details about the victim to get them to believe the scam caller is real and should be trusted. Vishing calls may come from a blocked number, or a fake or spoofed phone number used to impersonate a legitimate person or organization. Fraudsters also use robocalls to carry out vishing schemes on a larger scale.
HOW DOES VISHING WORK?
The person or robot placing the phone call uses a sense of urgency or the guise of an emergency to ask you questions confirming your identity or personal details, then they ask for even more information. They may not always be negative situations, either. Sometimes the urgency comes from the excitement of potentially winning money, gifts, or trips. Unfortunately, it’s all fake when it comes to vishing scams. What the scammer really wants is your Personally Identifiable Information (PII), financial account details, medical information, or other sensitive data, and they want you to give it to them over the phone quickly before you have time to realize it’s a scam.
Common vishing techniques to watch for:
- Your Social Security number has been compromised
- Your bank account has been red-flagged
- A credit card charge needs to be verified
- The IRS has discovered discrepancies in your tax return
- Your vehicle is qualified for an extended warranty
- Your computer has been compromised and requires tech support services
- There is a warrant issued for your arrest
- Your friend or family member needs money to get out of trouble
- Your friend or family member was in an accident
- You have won a free vacation (or sweepstakes, or lottery, or giveaway)
- You’re eligible for a free trial or free product, something you didn’t request
- A charity is requesting a donation
HOW DOES VISHING DIFFER FROM PHISHING?
Vishing is a form of phishing by phone. Phishing scams are conducted through unsolicited emails, texts (smishing), phone calls (vishing), and fake websites — all used by scammers to collect information from a victim to commit fraud.
There are more victims of phishing, vishing, and smishing scams than any other type of cyber fraud, costing consumers $57 million in fraud losses.
WHAT IS THE HARM IN VISHING?
When victims are tricked into sharing their name, date of birth, Social Security number, bank account details, and other sensitive information, fraudsters are equipped to commit credit card fraud, account takeovers, and identity theft using that information.
WHAT DO I DO IF I’M A VICTIM OF VISHING?
If you have shared your personal information, bank account or credit card number with what you suspect was a vishing scam, report the call to your financial institution and government agencies. Several agencies are working to reduce fraud and capture scammers, including the Internet Crime Complaint Center, the Federal Trade Commission (FTC), and the Better Business Bureau (BBB).
HOW CAN I PROTECT MYSELF FROM VISHING?
- Think before you speak. If you receive a phone call from an unknown number or a familiar name you weren’t expecting a call from, do not share your sensitive information. Especially if the caller requests ANY information from you to confirm who you are before proceeding with the call. Scammers want you to react and divulge your information. The person on the end of the line may sound sincere and trustworthy, but that doesn’t mean they’re legitimate.
- If you are worried a phone call you receive is a scam, hang up. Calling the number back will only connect you with the scammer again. Look up the correct number yourself through an organization’s website or phone directory, or call the number listed on your bank or account statement or the number on the back of your credit card.
- Is that really a government agency? Remember, the Social Security Administration and the IRS will never call you to request personal information or make threats.
Some good news is on the horizon to help fight vishing attacks and caller ID spoofing: the FCC has been working with telecommunications providers to create new ways to digitally validate Caller IDs (through STIR/SHAKEN authentication standards). Such validation processes would greatly reduce the ability of vishing scammers to spoof legitimate names and phone numbers, giving them one less way to fool you into exposing your personal and financial information.