With thousands of teams worldwide being asked to work remotely to help contain the spread of COVID-19, scammers have a fertile ground to prey upon telecommuters. One scam that workers probably weren’t warned about is vishing. This is a type of fraud where adversaries use the phone and social engineering techniques to obtain confidential information from individuals — often financial information.
While less common than email phishing attacks, the scam poses a real threat. In this article, we’ll explore the concept and learn how to prevent vishing.
The different techniques of vishing
Vishing can be attempted in various ways. For example, fraudsters can have a real person on the other end of the call who is trying to scam you, or they may automate the scam with assistance from a robot.
For companies and remote teams, scammers are more likely to get a real person on the line. They may warn you about suspicious or fraudulent bank transfers or mention that they’re calling from IT support. The aim is to gain remote access to systems or lure you into giving sensitive information about your company.
To get an idea of how this might play out in the real world, here’s a video from GetSafeOnline.org showing audio reconstructions from actual phishing attempts.
Vishing typically relies on VoIP (Voice over Internet Protocol) technology and caller ID spoofing. Scammers “spoof” a number, making the victim’s caller ID display a trusted contact. Beyond that, they simply rely on the personal touch of a human voice and an unsuspecting target to make the attack successful. If a scammer already has access to some of the victim’s personal data (which they may have sourced from the dark web or another scam), they can easily mimic a conversation that a person would expect to get from a legitimate source.
Newer technologies, such as deepfakes, are also sparking concerns over the protection against phishing. Now remote workers also need to watch out for AI-based vishing where malicious actors use software to impersonate the voice of a key figure at their company. Oversight in this area could result in workers losing their jobs and their companies taking a financial hit.
Real-world examples of vishing
Krebs on Security covered a worrying story of a near-successful phishing attempt. Panic Inc. founder Caleb Sasser told the source that an attacker managed to spoof his phone number to match his bank, and claimed to be contacting Sasser to help reverse some potentially fraudulent charges. Because the bank was offering to mail a new ATM card, Sasser went as far as entering a new PIN into his phone, only to pull back at the last minute. Had he not realized the call was a scam, the scammers would’ve been able to copy his PIN and carry out transactions freely.
In another instance, hackers managed to use AI-based phishing to scam a UK-based energy firm. An adversary used voice generation software to impersonate the accent and tone of a German executive who works at the UK company’s parent firm (situated in Germany) to get the UK subsidiary’s CEO to transfer funds to a Hungarian supplier, with the guarantee that the money will be reimbursed immediately. This helped the malicious actor squeeze $243,000 from the company. The sum transferred to the Hungarian bank account was subsequently shifted to Mexico and then distributed to other countries.
Fraudsters are becoming so good at spoofing that even the most tech-savvy people can be tricked into sharing confidential information. It’s no wonder that they see the new wave of remote workers as the low-hanging fruit. Remote workforce newbies are unaware of the best practices that experienced remote workers know well, such as how to prevent vishing by staying calm and vigilant.
How to prevent vishing
You’ll find plenty of advice when you search how to prevent vishing attacks. Here are the most effective steps to take:
- Sign up for the National Do Not Call Registry: The National Do Not Call Registry offers a way to stop unwanted sales calls. Once you join the registry, you can expect it to take up to a month for the calls to stop. This will help keep you safe from vishers who pose as telemarketers to keep their identity hidden.
- Be aware: Always remember that a legitimate business doesn’t make unsolicited requests for financial or sensitive information over the phone. Anyone who makes such a request is probably trying to steal your credentials. If someone tries forcing you into sharing your personal information, hang up.
- Verify their identity: Scammers who execute a vishing campaign will always contact you before you contact them. If any company or person you know in real life calls you and creates a sense of urgency, hang up and call that business or person back yourself, using the number you typically dial to reach them. If they share a call-back number, ignore it and search for the firm’s official public business number instead.
- Download a caller ID app: Caller ID apps like Truecaller can help increase your smartphone’s call blocking and detection capabilities. Once installed, the app will block confirmed spam numbers (there are over two billion spam numbers present in Truecaller’s database) and allow good numbers to go through. If a certain number ends up being a vishing attempt, you can add it to the app’s database manually.
- Be mindful of prompts: If you receive an automated message asking you to respond to questions or press buttons, don’t do it. Scammers do this to gauge the responsiveness of their targets so that they can cast a wide net for robocalls. Your best defense is to ignore such requests and activate the filter/blocking system on your smartphone.
- Take security awareness seriously: Educate yourself and your coworkers about potential vulnerabilities and scams. Tell them to verify the caller’s identity, hang up if he/she requests confidential information and be wary of emotional manipulation.
Unsolicited calls can throw a wrench into your growth plans, but you can always recover with help. Keep up to date on the latest scam techniques and learn how to prevent vishing as soon as you can. While the attacks are crafted to trick you, you can stay ahead of the malicious actors by understanding the red flags that point towards vishing.
- Reconstruction of actual vishing call to a small business – Archie Hicks, Get Safe Online (YouTube)
- Voice Phishing Scams Are Getting More Clever, Krebs on Security
- National Do Not Call Registry, Federal Trade Commission