- slide 1 of 2
What Is Vishing?
When someone emails you, cleverly pretending to be your bank or employer requests a response with your personal or sensitive information, this is called phishing. When the same process is done over a telephone system or Voice over IP (VoIP), it is called Vishing. I briefly touched on the fact that using Voice over IP would be cybercrime of the future, and with the rise in consumers using VoIP and the ease of access of VoIP, it's becoming less and less a cybercrime of the future and more of a cybercrime of the present.
In phishing, the scammers might want you to simply reply to their email with your details or they would send you a link to a fake website where you are requested to type your details in a web-form. In the case of vishing, what scammers commonly do is call random people (most commonly through VoIP) and leave an automated message saying that your credit card or band account has been compromised, used up, or closed. Those who are left a message are also given instructions to call a number to get more information about this. When people call the number, they hear an automated message asking them to dial in their credit card detail, even their PIN, expiry date and DoB. After this is done, the person is either put on hold or a "representative" speaks to him while the scammers makes good use of this time to misuse the credit card. Other information they can try to steal from you is more personal information such as your social security number. In the interest of safety, they may ask that you enter your social security number for verification purposes, which they can use for identity theft.
In another version of vishing, the scammers call people and speak to them live. Often, the scammers already have some personal information on you i.e. your credit card number or bank account number. They will inform you that your credit card has been misused so it must be blocked or cancelled. They will say your credit card information they have and will tell you that before they can block the card, they need to confirm that you are the genuine owner of the card and therefore ask you to give the remaining information they need.
Criminals often give out their phone numbers and it might seem easy to track them. The to-be vishing victim will also be able to see the caller's ID but criminals are very clever. They can disguise the number they are calling from, foiling caller ID and in some cases the VoIP number belongs to a legitimate subscriber whose service had been hacked. So the 1-800 number you get the call from is a legitimate number, but the source has been compromised by hackers and most likely sold to the vishers.
Vishing scam can seem very real because they often come with warnings about not disclosing your personal information to your friend, colleagues, etc. This may make you feel that the call or voicemail was legit and the company is interested in protecting your assets. Vishers are usually fairly trained in the art of social engineering, mainly pretexting. They're able to fool you into thinking you're safe and that the call is legitimate.
- slide 2 of 2
What You Can Do To Be Safe
Vishing is hard for legal authorities to monitor, therefore the first thing consumers are advised is to be highly suspicious when receiving messages requesting to call on a number and provide credit card or bank account information. Always be suspicious if verification is based on an entire number. Companies that must comply to the Payment Card Industry Data Security Standards (PCI-DSS) must encrypt, tokenize or truncate a credit card number. The verification will usually be based upon the last 4 digits. The same would go with social security numbers, the question around verification would be based on the last 4, due to state privacy regulations, never the entire number. The consumers should also remember they should greet a phone call seeking personal information with a hefty dose of incertitude. But if the call seem legit, always hang up can call back the customer service number provided by your bank.
You should inform the bank or company that you have been vished and report the scam attempt in the US to Internet Crime Complaint Centre. Those who reside in Canada can report vishing or phishing attempts online at Reporting Economic Crime Online (a government organization) or call 1-888-495-8501. If you are from U.K, you can report the scam attempt directly the bank indicated in the scam.
Please also visit What to do if you suspect your personal information has been phished. Though, it is about phishing, you will still find in it plenty guidance about what you can do if your personal information is vished.