The written word carries a certain weight. A paper letter is quite official-looking, especially now that they’re relatively rare, and even an email can feel pretty formal. That’s why scammers often use emails to carry out phishing attacks: The gravitas of the written word can help create an air of legitimacy and mask any errors in the email’s actual language.
Phone calls typically feel more casual, but scammers can still use them for phishing attacks. The informal feeling of a phone call can help skilled con artists sidestep your mental defenses and result in a successful attack. This approach is called “vishing,” and it’s a danger you need to be aware of.
What is Vishing?
What Is “Vishing”?
The term vishing is a mashup of voice and phishing, which summarizes the concept pretty neatly. Like any other phishing attack, it’s an attempt at bamboozling you, and creating a vulnerability that can be exploited for gain.
All vishing calls are phone scams, but not all phone scams are vishing. The line between them is a fine one, but it’s distinct. A straight-up scam attempts to trick you into coughing up some cash, through intimidation (“I’m from the IRS, and you owe us money!”) or an appeal to greed (“You’ve won our sweepstakes! There’s just this processing fee…”).
Vishing plays a longer game. The con artists may attempt to coax crucial personal information from you, such as your SSN, account passwords, and PINs, or they may helpfully walk you through the process of downloading and installing malware on your computer.
The real damage happens after they’re successful. They can use the information you’ve given them to loot your accounts, steal your identity, and target your friends, family, and colleagues with impersonation scams.
The Most Common Types of Vishing Calls
Vishing attacks can take a number of different forms. These include…
The “Potential Fraud” Call
You receive a call that appears to come from a number legitimately belonging to your bank or credit card company (faking a legitimate number is called “spoofing,” and it’s pretty easy). A pleasant, professional-sounding person tells you there have been suspicious purchases on your account, and — if you take the bait — will talk you through verifying your identity and taking the information necessary to send out a new card. This is bogus, of course, and the information you give will give them access to your accounts and much of what they need to steal your identity.
Customer Service Calls
The attack might take the form of an email purporting to come from Amazon or a streaming service you use or the publishers of one of the apps on your phone. The pitch is that “there’s a problem with your order/account/app, so please call us toll-free to sort it out.” When you do, you’ll be deftly prompted to give up your account information or — in some cases — install malware or ransomware on your devices.
Robocalls can be used in the same way to initiate contact: A recorded message asks you to call a given number to sort out the problem with your account, and if you do, you’ll be speaking with the scammer.
IRS and SSA Calls
These can be either vishing or straight-up fraud, depending on their approach. In the case of vishing calls, they’ll tell you there’s an issue with your account that needs to be resolved (or potentially that they’ve corrected an error that means a balance in your favor) and that they need to verify your details.
The Call from Work
This one took on a whole new life during the pandemic as working from home became common. The caller claims to be a coworker, and either has misplaced his login information or plays the harried IT guy trying to sort out a snafu with everyone’s credentials. If you give him yours, you’ve potentially made your whole company (and its clients!) vulnerable.
The Phishing/Vishing Combo
Some clever attacks combine phishing and vishing for maximum effect. A conventional phishing attack might include a link to a dubious site or an attachment with a malware “payload” that installs if you download it. Email providers have algorithms to detect and block those, but a phone number flies beneath their radar.
How to Protect Yourself from Vishing Attacks
A well-planned vishing call is a pretty persuasive thing:
- The person at the other end of the line will typically be polite and courteous, and sound very professional.
- The biggest giveaway is that you’ll always face pressure to act now, from fear or greed (which, in its way, is just fear of missing out). That pressure prevents you from asking yourself obvious questions, like “why is this person asking for my PIN,” or “why is Craigslist suddenly verifying phone numbers?” Your bank and government agencies like the SSA, IRS, or Medicare — to pick three major examples — just don’t work that way.
Your best protection against vishing calls is simply a healthy level of skepticism. If you receive a plausible-sounding call, don’t engage with the caller. Just hang up and call back the corresponding company or government office directly from their listed number. In the unlikely event that the call was legitimate, you’ll be connected to the correct department quickly enough.
You can also take more active steps to protect yourself, such as:
- Searching your own phone number with Spokeo’s Reverse Phone Lookup. If a name other than yours is associated with your number, it may be cause for concern (we’ll circle back to that in a minute).
- Signing up for Spokeo’s identity protection service, Spokeo Protect, which includes “dark web” monitoring that will alert you when your personal information is bought and sold on the web’s seamy underbelly.
The Google Voice Scam Is an Unusual Vishing Attack
In one oddball variant that’s worth mentioning, the vishing scheme’s target is…your phone number.
Why? Because it gives the scammers opportunities to target people with seemingly local calls (“You don’t know me, but our kids go to the same school…”), or to use your phone number in targeted phishing or fraud campaigns against your friends, family or coworkers.
First, the scammer finds your phone number somewhere it’s been posted publicly (often a Craigslist ad). Then they call, claiming to be from that site, and telling you they’ve sent a verification code to the phone number you listed. You’re asked to enter that code to verify your phone number. What’s really going on is that the scammers have created a Google Voice account using your number, and the verification code has come from Google. When you pass it along to the scammer, they’re now able to make calls from Google Voice that will show your number. The outcome might be a phishing call to your workplace or a “family emergency” call to an elderly and confused relative, asking for a loan to help you out. Often, unless the scammer does target your family, you’ll never know what has happened.
AI-Powered Vishing Is an Emerging Threat
One of the silver linings to vishing is that it requires a scammer speaking to you one-on-one and therefore is a relatively “artisanal” form of fraud. Unfortunately, that’s changing rapidly. Some scammers operate full-scale call centers, just as legitimate companies do, and have a number of operators to make or receive calls, but a bigger danger comes from technology.
Digital assistants (Siri, Alexa) and those software “voice agents” you hear when you call some companies are getting better all the time, and new, AI-driven technologies like Google Duplex can imitate a human pretty well. Some scammers have begun using this kind of technology in their vishing calls, with an interactive bot delivering the main pitch and then referring you to a human “supervisor” if you ask a question that takes them off-script.
AI-driven software can now even take a small sample of your voice (say, the message from your voicemail) and imitate it, in a sort of audible “deep fake.” As that technology inevitably migrates further into the criminal underworld, the potential for misuse is huge. If scammers successfully add your number to their Google Voice account, and match that with your voice, they can impersonate you to friends, family, or anyone you do business with. More to the point, they can do it en masse to thousands of people at once…a thought that should send chills down your spine.
Be Privacy-Minded, to Nip Fraud in the Bud
Since vishing typically relies on having some of your personal information, simply restricting the information you put out there is the most proactive measure you can take. The sum total of your online activity is your “digital footprint,” and keeping it to a minimum is very much in your interest. Shut down old accounts, bump up the privacy settings on your social media accounts, and — in general — don’t share your personal information in public spaces.
Taking those basic precautions can go a long way toward making your online life safer, and in turn, insulating you from vishing and other forms of criminality. Remember, criminals are always looking for the easy target (if they wanted to work hard, they’d have real jobs). If you’re not one of those easy targets, they’ll usually overlook you.
Sources
- Krebs on Security: Voice Phishing Scams are Getting More Clever
- CSO Online: Supply Chain Attacks Show Why You Should be Wary of Third-Party Providers
- ArmorBlox: Hello, Is it Me You’re Phishing For: Amazon Vishing Attacks
- Auslogics: How to Stay Safe From the Google Voice Scam?
- Geekwire: Grappling with Google Duplex: What Happens When our AI Assistants Suddenly Seem More Human
- Forbes: Fraudsters Cloned Company Director’s Voice in $35 Million Heist, Police Find
- Ars Technica: Thousands Scammed by AI Voices Mimicking Loved Ones in Emergencies