The written word carries a certain degree of authority with it. A paper letter is quite official-looking, especially now that they’re relatively rare, and even an email can feel pretty formal. That’s why scammers often use emails to carry out phishing attacks: The gravitas of the written word can help create an air of legitimacy and mask any errors in the email’s actual language.
Phone calls typically feel more casual, in comparison, but scammers can also use them for phishing attacks. The more relaxed feeling of a phone call can help skilled con artists sidestep your mental defenses and result in a successful attack. This approach is called “vishing,” and it’s a danger you need to be aware of.
What Is “Vishing”?
The term “vishing” is a mashup of voice and phishing, which summarizes the concept pretty quickly. Like any other phishing attack it’s an attempt at bamboozling you, and creating a vulnerability that can be exploited for gain. It’s become common enough in recent years that even Reader’s Digest has covered it!
All vishing calls are phone scams, but not all phone scams are vishing. The line between them is a fine one, but it’s distinct. A straight-up scam attempts to trick you into coughing up some cash, through intimidation (“I’m from the IRS, and you owe us money!”) or an appeal to greed (“You’ve won our sweepstakes! There’s just this processing fee…”).
Vishing plays a longer game. The con artists may attempt to coax crucial personal information from you, such as your SSN, account passwords and PINs, or they may helpfully walk you through the process of downloading and installing malware on your computer. The real damage happens after they’re successful: They can use the information you’ve given them to loot your accounts, steal your identity, target your friends, family and colleagues with impersonation scams, and — eventually — sell your information on to other criminals.
Examples of Vishing Calls
Vishing calls can take a number of different forms. These include the following.
The “Potential Fraud” Call
You receive a call that appears to come from a number legitimately belonging to your bank or credit card company (faking a legit number is called “spoofing,” and it’s pretty easy). A pleasant, professional-sounding person tells you there have been suspicious purchases on your account, and — if you take the bait — will talk you through verifying your identity and taking the information necessary to send out a new card. This is bogus, of course, and the information you give will give them access to your accounts and much of what they need to steal your identity.
IRS and SSA Calls
These can be either vishing or straight-up fraud, depending on their approach. In the case of vishing calls, they’ll tell you there’s an issue with your account that needs to be resolved (or potentially that they’ve corrected an error that means a balance in your favor) and that they need to verify your details.
The Call from Work
This one took on a whole new life during the pandemic as working from home became common. The caller claims to be a coworker, and either has misplaced his login information or plays the harried IT guy trying to sort out a SNAFU with everyone’s credentials. If you give him yours, you’ve potentially made your whole company (and its clients!) vulnerable.
The Phishing/Vishing Combo
Some clever attacks combine phishing and vishing for maximum effect. A conventional phishing attack might include a link to a dubious site or an attachment with a malware “payload” that installs if you download it. Email providers have algorithms to detect and block those, but a phone number flies beneath their radar.
So the attack might take the form of an email purporting to come from Amazon or a streaming service you use or the publishers of one of the apps on your phone. The pitch is that “there’s a problem with your order/account/app, so please call us toll-free to sort it out.” When you do, you’ll be deftly prompted to give up your account information or — in some cases — install malware or ransomware on your devices.
Robocalls can be used in the same way to initiate contact: A recorded message asks you to call a given number to sort out the problem with your account, and if you do, you’ll be speaking with the scammer.
Google Voice Scams
In one oddball variant, the vishing scheme’s target is…your phone number. Why? Because it gives the scammers opportunities to target people with seemingly local calls (“You don’t know me, but our kids go to the same school…”), or to use your phone number in targeted phishing or fraud campaigns against your friends, family or coworkers.
First, the scammer finds your phone number somewhere it’s been posted publicly (often a Craigslist ad). Then they call, claiming to be from that site, and telling you they’ve sent a verification code to the phone number you listed. You’re asked to enter that code to verify your phone number.
What’s really going on is that the scammers have created a Google Voice account using your number, and the verification code has come from Google. When you pass it along to the scammer, they’re now able to make calls from Google Voice that will show your number. The outcome might be a phishing call to your workplace or a “family emergency” call to an elderly and confused relative, asking for a loan to help you out. Often, unless the scammer does target your family, you’ll never know what has happened.
Vishing Has a Bright, AI Future
One of the silver linings to vishing is that it’s not especially scaleable, meaning it still requires a scammer speaking to you one-on-one and therefore is a relatively “artisanal” form of fraud. Unfortunately that’s changing rapidly. Some scammers operate full-scale call centers, just as legitimate companies do, and have a number of operators to make or receive calls, but a bigger danger comes from technology.
Digital assistants (Siri, Alexa) and those software “voice agents” you hear when you call some companies are getting better all the time, and new, AI-driven technologies like Google Duplex can imitate a human pretty well. Some scammers have begun using this kind of technology in their vishing calls, with an interactive bot delivering the main pitch and then referring you to a human “supervisor” if you ask a question that takes them off-script.
AI-driven software can now even take a small sample of your voice (say, the message from your voicemail) and imitate it, in a sort of audible “deep fake.” Once that technology inevitably migrates to the criminal underworld, the potential for misuse is huge. If scammers successfully add your number to their Google Voice account, and match that with your voice and stolen personal information, they can impersonate you to friends, family or anyone you do business with. More to the point, they can do it en masse to thousands of people at once…a thought that should send chills down your spine.
Recognizing Vishing Calls
A well-planned vishing call is a pretty persuasive thing. The person at the other end of the line will typically be polite and courteous, and sound very professional. They’ll also usually have some legitimate personal information about you, whether they’ve gathered it themselves or bought it on the open market, which makes the call sound even more persuasive.
The biggest giveaway is that you’ll always face pressure to act now, from fear or greed (which, in its way, is just fear of missing out). That pressure prevents you from asking yourself obvious questions, like “why is this person asking for my PIN,” or “why is Craigslist suddenly verifying phone numbers?” Your bank and government agencies like the SSA or Medicare just don’t work that way.
Protecting Yourself from Vishing Calls
Your best protection against vishing calls is simply a healthy level of skepticism. If you receive a plausible-sounding call, don’t engage with the caller. Just hang up and call back the corresponding company or government office directly from their listed number. In the unlikely event that the call was legitimate, you’ll be connected to the correct department quickly enough.
You can also take more active steps, such as searching your own phone number with Spokeo’s people search tools. If your number is attached to someone else’s Google Voice account, that’s one way to find out. Searching yourself with Spokeo is also a good way to learn what portion of your personal information is publicly available and therefore potentially in the hands of scammers.
Finally, the dark web monitoring that comes with Spokeo’s identity protection service can tell you when your personal information is bought and sold on the web’s seamy underbelly.
Be Proactively Privacy-Minded
Since vishing typically relies on having some of your personal information, simply restricting the information you put out there is the most proactive measure you can take. The sum total of your online activity is your “digital footprint,” and keeping it to a minimum is very much in your interest. Shut down old accounts, bump up the privacy settings on your social media accounts, and — in general — don’t share your personal information in public spaces.
Taking those basic precautions can go a long way toward making your online life safer, and in turn insulating you from vishing and other forms of criminal chicanery.
- Krebs on Security: Voice Phishing Scams are Getting More Clever
- CSO Online: Supply Chain Attacks Show Why You Should be Wary of Third-Party Providers
- ArmorBlox: Hello, Is it Me You’re Phishing For: Amazon Vishing Attacks
- Auslogics: How to Stay Safe From the Google Voice Scam?
- Google Voice: Select a Google Voice Number
- Geekwire: Grappling with Google Duplex: What Happens When our AI Assistants Suddenly Seem More Human