SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

What is vishing? Tips to spot and avoid voice phishing scams

Thu, 2nd May 2024

In today's digital landscape, vishing poses a significant threat to our security. In this post, we'll break down how vishing works, common types of vishing techniques, and how to prevent vishing scams. Here's what to know about vishing attacks and how to keep yourself (and your data) secure.

What is vishing?

Vishing, short for "voice phishing," is a phone-based cyberattack where cybercriminals exploit the phone as a tool for their attacks. During a vishing phone call, a scammer may try to get you to share personal information and financial details, such as bank account numbers and passwords.

Scammers accomplish this by posing as a trustworthy or authoritative source during a phone call. They may spoof the caller ID to appear legitimate or even use Voice over Internet Protocol (VoIP) technology to place hundreds of calls at a time for more widespread attacks.

What's the difference between phishing, vishing, and smishing?

Vishing, smishing, and phishing are different forms of cyberattacks designed to gain access to your data, spread malware, and defraud or extort people.

Each of these attacks uses deceptive techniques to lead you to reveal your personal information. The difference lies in the method of communication used to carry them out.

Here's a breakdown of their differences:

  • Phishing: Phishing is a type of cyberattack that uses fraudulent emails, texts, calls, or online messages to steal data, gain access to account information (including logins), and monitor online activities. This can be accomplished by tricking recipients into clicking malicious links or visiting fake websites.
  • Vishing (voice phishing): Vishing is a form of phishing that involves voice communication. Vishing calls may be from a real person or a pre-recorded robocall; either way, criminals use voice tactics to trick you into taking certain actions that put your personal data at risk.
  • Smishing (SMS Phishing): Smishing is a form of phishing conducted through text messages. Smishing and vishing attacks take place through phones, but smishing uses SMS and spam texts instead of voice calls to access your confidential info.

Three examples of vishing scams

From financial institution impersonation to tech support fraud, vishing scams tend to take on a few common forms. Here are some more vishing examples: 

1. Bank impersonation
A common vishing scam is when attackers pose as representatives from banks or financial institutions. Whether it's a real person impersonating the bank on the phone or a prerecorded message, a scammer will often tell you there's an issue with your account or a recent payment you made.

Using convincing scripts, they'll trick you into sharing account details or PINs. They may even have you transferring funds to another account to fix the "problem."

2. Tech support scams
This type of vishing scam frequently targets older adults (age 60+), as they are 398% more likely to fall victim to tech support scams than younger people, according to the US Federal Trade Commission.

Scammers may pose a tech support personnel from large companies like Microsoft. In this vishing scam example, the scammer could call you claiming to have detected a harmful virus on your phone or computer or to alert you of an important software update.

From there, they'll convince you to share your personal information or login credentials and even request remote access to your devices to solve the issue or install the update.

3. Government agency imposters
Vishing attackers may impersonate government officials, issuing false warnings about unpaid taxes. The goal is to create panic, leading victims to share sensitive information or make payments to resolve supposed problems.

There are many variations of this type of scam; typically, you'll receive a prerecorded message about an issue with your tax return and that if you don't call back, they will issue a warrant for your arrest. Scammers usually pair this with a spoofed caller ID made to look like the call is coming from the government agency.

How to spot a vishing scam

The tell-tale signs of a vishing scam are urgency and fear tactics, unsolicited requests for sensitive info, and poor call quality, to name a few. Recognising a vishing scam is key to protecting your money and personal information.

Here's a closer look at some red flags to watch out for.

Unsolicited calls

Calls you weren't expecting can be a sign that someone is trying to vish you. If you think a call is suspicious, you can hang up, look up the real number, and call back to see if the call was legit. Most of the time, these calls are bogus, especially if they're supposedly calling from the government or a real business.

  • Government agencies: Unless you've requested contact, government agencies will never initiate contact with you. They also won't request personal or financial information from you out of the blue.
  • Banks, hospitals, or tech support: The above is also true for seemingly legitimate companies, whether a bank, hospital or even the local police. These entities will never make unprompted requests for sensitive information over the phone – always be sceptical of these calls, no matter how convincing their message seems.

What to do: If you're not 100% sure about a caller, get their name and employee ID and call the agency back via their official phone numbers listed on their website. 

Urgency and fear tactics

To pressure you into taking immediate action, scammers will use threats to create a sense of urgency. If you get one of those phone calls, remain calm and never give them any form of payment or personal information.

What to do: Ask them for more information about their request; make them slow down and provide the necessary information to assess the situation.

Requests for personal information

Anyone who calls out of the blue and asks you to confirm your bank account info or other identifying details over the phone is likely a scammer. Never share confidential info on the phone unless you can confirm the source is who they say they are.
 
What to do: Verify the caller's legitimacy by contacting the official phone number or customer support of the company they claim to represent.

Background noise or poor audio quality

Pay attention to add background noise or generally poor audio quality on phone calls. Also, listen for unnatural or robotic-sounding voices, as it could be a robocall.
 
What to do: Hang up and verify the call's legitimacy by contacting the company or individual through their official contact channels. Legitimate calls typically have clear audio.

How to protect yourself from vishing

Use these tips to safeguard yourself and your data from a vishing scam:

  • Verify caller identities: Always confirm a caller's identity, especially if they request sensitive information. If they provide a call-back number, it may be part of the scam – so don't use it. Instead, search by the company's official phone number and call them to confirm if the call was legitimate.
  • Ignore calls from unknown numbers: Although it may be tempting to answer every phone call, simply let them go to voicemail if you don't recognise the number. Listen to your messages and decide whether to call the person back.
  • Trust your instincts and hang up: The moment you suspect a vishing phone call, don't feel obliged to converse politely. Simply hang up and block the number.
  • Join the Marketing Association's Do Not Call Register: Adding your home or mobile phone number to the Do Not Call Register is free and tells telemarketers you don't want their phone calls. It won't stop people from illegally calling your number, so it's important to remain vigilant against suspicious calls.
  • Use call-blocking features: Enable call-blocking features on your phone to filter out potential vishing scams. Most smartphones offer this function to help you avoid fraudulent calls.
  • Use two-factor authentication: Add an extra layer of security to your mobile device and accounts by enabling two-factor authentication.

The tips above can help you identify and avoid vishing attempts – and improve your overall cybersecurity

Keep you and your phone safe from scammers
While vishing attacks are crafted to trick you, learning the red flags can help stop you from giving out the information after you pick up a call from a visher. With this knowledge, you can stay ahead of cybercriminals who are trying to tap your personal details over the phone.

Comprehensive internet security software helps protect you from fraudsters and other cyber crooks by constantly scanning your devices from malware and defending against phishing by blocking fake websites. Choose one that also includes a password manager and VPN to help you create better password habits and keep your searches private.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X