Hacker using computer for vishing

There is no shortage of phishing scams being perpetrated every day, but one that has continually flown below the radar is vishing scams, also known as voicemail scams. Just like phishing emails, a vishing scammer tries to persuade you into divulging sensitive information for their ultimate benefit.

Vishing involves cybercriminals calling potential victims, sometimes even leaving voicemails, to fraudulently attempt to steal credit card information, financial details or any other confidential information, by pretending to be a reputable organization. Cybercriminals use social engineering to get people to share personal details, such as social security numbers or passwords. By using voice over internet protocol (VoIP) technology hackers can call hundreds of people at a time and make the caller ID appear to come from a trusted source, such as your bank. But the hackers also realize that most people will not answer their phones if an unknown number pops up on their caller ID, and many mobile users will automatically program those numbers to go straight to voicemail. Therefore, they also utilize the voicemail system to perpetrate their crimes. Once an automated voicemail is left by the cybercriminal, it provides the phone users with choices when they play back the message, for instance pressing 1 or staying on the line. By choosing one of the options, the victim is essentially being prescreened by the cybercriminal. This method saves the hacker lots of time my narrowing down who is more susceptible to take the bait. Vishing does not only affect average citizens; in fact, many well-known organizations have also fallen victim to these scams.

Vishing does not only affect average citizens; in fact, many well-known organizations have also fallen victim to these scams.

FBI uncovered a massive coordinated vishing campaign directed at trying to gain access to company databases by way of employee VPN credentials. Once inside the system, the cybercriminals stole customer information to be used as leverage in future attacks. The FBI put out a warning urging everyone to be vigilant and provided suggestions to help mitigate the threat.

Here are some things to look out for:

  • Claiming to be from a government entity – If a caller claims to be from a government entity, like social security, the IRS or Medicare, be very skeptical, especially if they are trying to sell you something.
  • Abnormal sense of urgency – Scammers will try to tap into your sense of fear, using threats of arrest warrants and problems with your account. If you get one of these phone calls, don’t give out your information. Hang up, perform your due diligence, and do your own investigation.
  • Request for personal information – If you get a call asking you to confirm your name, address, birth date, social security number, etc., it is most likely a scammer trying to trick you into divulging sensitive information.

How to protect yourself:

  • Hang up immediately if you suspect it is a vishing phone call and block the number. Don’t feel obligated to listen or have polite conversation with an unknown caller.
  • Do not pick up the phone if it is an unknown number, simply let the call go to voicemail. Caller IDs can be faked, so do not always rely on that. Listen to your messages and then decide whether to call back.
  • Do not press buttons or respond to prompts on a live call or a voicemail message. If you get an automated message that asks you to press buttons or respond to questions, don’t do it. Scammers can record your voice and use it when navigating voice-automated phone menus linked to your accounts.
  • Verify the caller’s identity. Just because a person provides a callback number, does not mean it’s legitimate; it may be part of the scam. Do not use the callback number provided by the caller, instead search for the company’s official public phone number and call them back using that number.