The phone rings. They sound convincing, but you weren’t expecting this call…
Vishing – voice phishing scams
Vishing is a voice-based phishing attack that takes place over the phone.
Typically, the fraudster impersonates a trusted third party in order to obtain sensitive information or convince the target to transfer money.
The victim is led to believe that they are speaking to a legitimate organisation or contact (e.g. the bank, HMRC, a supplier, their employer, tech support). They are then persuaded to divulge sensitive information or transfer funds, usually as a matter of urgency. The scammer makes them act immediately, without time to stop and think, so they don’t realise that the situation is suspicious until afterwards.
Gaining your trust
Vishing scammers have a growing list of ways to gain your trust and make their calls seem genuine, using a combination of technology and social engineering to make their attacks more effective.
They can spoof their caller ID, meaning that the recipient of the call sees a familiar name or number.
They might seem to have access to information that only a trusted contact would know, but these details may have been collected from publicly available sources (e.g. the internet / social media) or from a previous hack (of your business or of a related business).
In some cases, the scammer will develop the relationship over a series of calls (sometimes also using email), warming up the target and creating a sense of trust and familiarity.
Some vishing scams even use voice simulation software to make the caller’s voice emulate a genuine trusted contact (and some high value scams have used deepfake video of people within the target business, e.g. company directors).
Scammers create a sense of urgency
Scammers don’t want to give you time to realise what’s going on, so they often create a sense of urgency to force their target to act straight away.
They might pretend to be calling from the bank and state that unauthorised payments are being made from your account, or say they are from HMRC and that you are going to be arrested for unpaid taxes.
Alternatively, they could dangle an amazing time-limited opportunity that you don’t want to miss out on.
Scammers pretending to be from “Microsoft Security Centre” or “BT Security” may claim that your computer or internet line is being hacked and that you need to take immediate action to limit a breach.
Whatever approach they take, the aim is to put pressure on the victim, pushing them to rush into saying or doing something without the opportunity to think logically or discuss the situation with someone else… which is why one of the best ways to protect yourself from this type of scam is to stop and think about what’s going on.
Fraudsters want your information
Often the scammer calls to steal valuable information (e.g. banking credentials) and they have a range of tactics to persuade you to share confidential details with them.
They may make themselves seem genuine by giving you some correct information about you or your business before asking you to confirm or divulge other information.
We have become accustomed to banks taking us through security checks over the phone, but it’s important to pause and evaluate the situation – did you initiate the call by dialling a trusted phone number? If you answered an incoming call, are you sure that the caller is legitimate? Or are they harvesting security information? If the caller says they are from the bank, you can always hang up and then call the bank yourself using the official number, asking to be put through to the relevant department.
Protect your business from vishing scams
Protection comes from empowering the individual – the most effective defence against this kind of attack is well-trained personnel.
The first step is to educate your staff on the threat of vishing scams and the methods used by fraudsters to convince and persuade. Then train your employees on the best ways to avoid falling victim, and what to do if they suspect a scam.
Before even answering the phone, call screening tools can help by filtering out some suspicious or unsolicited calls.
Caller ID can help to some extent, and doing a Google search on the caller’s number can sometimes show if it is associated with scam or unwanted calls. However, fraudsters are able to spoof their caller ID and copy genuine numbers, so even an apparently legitimate number could still be part of a scam.
Some calls may have telltale signs, e.g. automated or recorded messages, a long pause before anyone speaks, poor call quality, incongruous background noise. Nowadays, vishing is becoming more sophisticated, and many scam calls are harder to spot as they sound very convincing.
It is important to train your employees to verify the identity of callers, particularly when a call is unexpected. If anything seems questionable, they should hang up and call back using a trusted number.
Staff should always exercise caution when sharing information over the phone. Confidential or sensitive information should not be shared without first carrying out appropriate verification.
Everyone in the organisation should be trained not to let a caller pressure or rush them into taking action or disclosing information. A genuine caller will not use urgency or pressure, and there is nothing to be lost by taking time to stop and think about what is going on.
Stepping back and thinking objectively about the situation allows the call recipient to consider whether the call may be a scam, rather than getting swept up in the caller’s agenda.
As soon as your employees suspect a scam, they should end the call and hang up. You don’t want to give scammers the chance to clone voices (for use in further scams or to breach voice security) or the opportunity to learn more about your business and its procedures.
If in doubt, any suspicious calls should be reported to a manager and the relevant authorities (e.g. Action Fraud / your bank). Even if no information has been divulged, employees should report all scam calls to their supervisor so that others can be made aware of the threat.
Reducing the risk
The increase in number and effectiveness of vishing attacks means it is more important than ever to have good security practices.
If a scammer does manage to get hold of sensitive information, having strong passwords and using two-factor authentication for your business’s accounts (e.g. banking) can help reduce the risk of financial loss.
Securely storing sensitive data (e.g. using encryption and access control, and having an effective firewall) can limit a scammer’s ability to do further damage.
Don’t get scammed
As always, the best protection is not to get scammed.
Ensure that your employees are aware of the threat
Use the tools at your disposal (e.g. call screening)
Be cautious on the phone
Verify callers
Don’t give in to pressure
Stop and think
Hang up and report
If you would like to improve your organisation’s training and defence against vishing scams, Contact us.
