Imagine getting a call from someone who sounds exactly like your boss, urgently asking you to transfer money. Would you do it? That’s the power of vishing – and why it’s so dangerous.
Cyber criminals are innovative and always looking for new ways to scam unsuspecting people. While criminals may use tactics like phishing and smishing which are impersonal they are often using methods that involve more personal interaction with unsuspecting individuals and play on their emotions.
What is vishing?
One very common attack method is called vishing. Vishing, or voice phishing, is a tactic where scammers will call individuals to try to trick or pressure them in to disclosing personal information or making fraudulent transactions. Most of these attacks involve live calls from real people but they sometimes scammers use pre-recorded messages that prompt you to respond by pressing buttons or entering personal information – like when a message says, ‘To speak to an agent about suspicious activity on your account, press 1.’
How does Vishing work?
There are 4 basic steps in a vishing scam:
Research: Criminals begin by looking for and researching potential victims. They gather basic information such as email address and phone number then look for additional information on a target such as workplace, names of family or friends, hobbies, interests, etc. With social media that information is more readily available with little effort.
Contact: The criminals will then call the target. Criminals can use software that fakes phone numbers and names so that what appears on your phone looks legitimate to the person being called.
Deceive: Once the criminal has connected with the potential victim on the phone they will begin to use emotions like trust or fear to get you to take action. The criminals will use one or many social engineering tactics to convince you to provide sensitive information such as bank information, credit card numbers, Social Insurance Numbers, log in credentials, etc. In some cases they will look to get more information about you, family members or even work colleagues so they can attempt to scam them as well.
Commit crime: Criminals may get you to do the work by transferring funds or sending them confidential documents. If they acquire your credential information they will begin to commit crimes such as removing money from bank accounts or making unauthorized purchases on credit cards. In some cases they may commit identity theft and use your identity to open new accounts or loans in your name.
Examples of vishing
There are many different types of vishing scams but here are a few of the most common ones:
Tech support calls – a caller impersonates a tech company saying your computer needs to be fixed. They may ask for personal information to confirm your identity then ask to remote log in to your device to fix it but are instead loading malicious software.
Bank or credit card scams – a caller poses as a representative of a bank or credit card saying their have been suspicious activities on your account. They will ask for personal information such as card numbers, passwords or PINs in order to gain access to your account.
Government impersonation – a caller poses as a representative of Canada Revenue agency or other government agencies and says you owe taxes that you must pay immediately often times with gift cards. A variation on this is impersonating law enforcement and threatening arrest if you do not pay a fine.
Service provider impersonation - a caller poses as a representative of a service provider offering you a special promotion. In the process they will seek to collect the personal information of your account to order new services or set up new accounts.
Corporate extortion or espionage – through a number of phone calls a criminal will attempt to gather intel on an organization then use it to convince an organization to give up corporate login credentials or immediately approve the transfer of funds to the criminal.
Artificial Intelligence has given scammers more tools to use and a notable one is the use of voice cloning. In vishing attempts the caller can make themselves sound like a family member or a senior leader of a company to add more credibility to the call. By doing so it can increase the likelihood the employee will disclose sensitive information or take a risky action like a financial transaction.
The impact of vishing
The first impact to victims is a financial impact by having the victim make purchases or send fund to the criminal. The second impact is the disclosure of highly personal information which can be used by the criminal to either take over accounts, make fraudulent credit card transaction or worse – identity theft. Another impact which is more focused on organizations is the potential for a criminal to have access to networks and data. Once a criminal has this they can steal the data or hold it for ransom.
Be aware and be diligent
Fraudsters are continuing to show their creativity with their scams and the tools they use. In all these scams they rely on deception and play on emotions to get us to take an action we normally would not do. Trust your instincts – if something doesn’t seem right exercise caution.
Here are some simple things to remember:
- Never give out information until you confirm who you are speaking to. If you are suspicious, hang up and call the person.
- If the caller creates a sense of urgency, treat with caution.
- Only open attachments and links from trusted sources.
- Never give anyone remote access to your computer.
- Be cautious about oversharing personal information on social media platforms – it can provide intel to criminals.
- If you are asked to pay in the form of prepaid or gift cards don’t do it as no credible organization will ask for payments in this form.
To learn more about fraud and how you can prevent it, we encourage you to read our other articles plus visit Bell.ca/security
for more in depth information.
- Service provider impersonation scam
- Good cyber habits to protect yourself online
- Do you suspect fraud? What to do next
