As the holidays approach, a new type of malicious email is landing in inboxes. These fresh attacks—“vishing,” short for “voice phishing”—direct recipients to call a certain number and claim a refund or reimbursement. The supposed call center, though, will be staffed by hackers whose goal is to pilfer bank account or credit card details.
It might seem difficult for cybercriminals to pull off such a brazen stunt, but even if just one of these scams is successful out of 100, the financial payout makes it worth the effort attackers put into it. Vishing increases as online shopping increases, too, with common strategies that include fake Amazon refund requests and so-called banking alerts notifying users of high-priced purchases.
Scammers who get an unsuspecting consumer on the phone, use a standard script. Often, they’ll ask for basic information such as addresses or birthdates before moving on to more advanced details such as Social Security numbers, financial data, or application logins. In addition to holiday-specific purchase requests, other common vishing tricks include tax-related disputes and utility service connections.
The goal is to confuse anybody hackers can get on the phone by deploying social engineering tactics. These use gentle deception to coerce individuals into sharing confidential information for fraudulent purposes. Sometimes scammers even will try to capture a short recording of your voice saying “Yes” or “I agree” which can then be used to compromise important accounts.
Any unsolicited email should raise a red flag. But there are signs you can look for to spot vishing, phishing, and spearphishing messages. Any message that makes you think, “Oh no! Do I really owe that?” should be approached with caution. Look for any typos, inaccuracies, or awkward phrases in the subject line and body copy, along with unusual sender names or addresses. Messages from large organizations should come from straightforward senders like info@company.com, not nonsensical long strings of characters or unfamiliar dot.com domains.
Security awareness training can empower staff members at your company to better scrutinize suspicious emails and websites. This can reconfigure lazy or nonchalant online behavior into a far more vigilant approach—in many cases preventing vishing attacks before they occur.
This level of caution is necessary to fend off increasingly sophisticated attacks. Many of these even go beyond simple financial transactions. Recent examples include scammers reviewing a real person’s LinkedIn history to pose as a CEO extending a job offer. Or a fake account rep gaining your confidence by reciting basic information easily gleaned from social media. Or an apparent government employee calling to clear up charges related to a past infraction.
Schemes like this are even harder to combat when scammers use so many different identity-hiding tricks. Some route their phone lines through different carriers and networks, making it difficult to determine exactly where they originate. Some deploy “neighborhood spoofing,” placing robocalls using local numbers to try and trick recipients into picking up. Hackers can even spoof an existing number, tricking consumers into thinking a trusted business is calling them.
A single piece of personally identifiable information can unlock a multitude of options for cybercriminals to unlock bank accounts, break into email inboxes, compromise healthcare records, or even apply for credit cards in your name. So how can you protect your business and your data to prevent a bad case of vishing? CMIT Solutions has gathered the following tips and tricks:
1) Use caution before calling an unfamiliar number. The best way to avoid vishers is to not call them in the first place — don’t answer calls to unfamiliar numbers, either, especially if they come into your cell phone. If an email prompts you to call a certain number, search for it in your web browser first to make sure it’s a legitimate contact.
2) Avoid starting a conversation with a caller. If you do find yourself on the line with a suspected visher, be wary of questions like “Can you hear me?” or “Would you like to opt-out of calls like these?” If you respond with a “Yes” or “I agree,” that voice signature can be used at a later date to authorize fraudulent charges or gain access to your accounts. Any response also lets hackers know your number is operational. Nine times out of ten, the smartest move is to hang up if you realize the call is fraudulent.
3) Report scam numbers to the National Do Not Call Registry. Once your number has been listed on the Registry for a month, you can report any unwanted calls to the Federal Trade Commission. Consider this just one layer of a comprehensive defense against vishers — not a method for stopping 100% of such calls.
4) Don’t open unknown attachments and hover over any links in an email. Although vishing requires a voice call, hackers continue to pair those attacks with more common tactics like illicit attachments or malicious links. Don’t open any file unless it’s one you’re expecting from a specific, trusted co-worker. In addition, place your mouse over any link in an unfamiliar email to make sure it’s legitimate. If the words say https://www1.cmitsolutions.com/e/660363/2021-11-15/8bqwcs/1071752571?h=QR1ITo48xSTiahiNjJy8eULhKBGzAaBwIFO_DW_BsxM, the preview link should also be https://www1.cmitsolutions.com/e/660363/2021-11-15/8bqwcv/1071752571?h=QR1ITo48xSTiahiNjJy8eULhKBGzAaBwIFO_DW_BsxM Beware of long strings of nonsensical characters or any major differences between the link in the email copy and the preview link that shows up when you hover over it.
5) Work with an IT provider to add extra layers of protection. Proactive security tools go beyond the steps above to strengthen your passwords, defend your identity, and enhance overall cybersecurity. Collaborating with a trusted IT provider can help you find the right fit and the right solution to your company’s particular set of challenges.
In today’s digital world, new tactics like vishing will continue to appear and evolve. Although this may give a new name to an old form of criminal fraud, it’s worth noting the uptick in attempts to compromise private information. If you need help securing your data and protecting your business, contact CMIT Solutions today. We keep our clients safe by remaining on the cutting edge of IT security—for desktops, laptops, servers, email inboxes, and phone lines alike.