What is Vishing?

It's a special, nasty kind of phishing that is getting increasingly popular...

vishing

You may have got a message on LinkedIn from a recruiter supposedly working at a major company that is hiring people like you. We’re talking about major brands such as Dell, Apple, Amazon, Microsoft, JP Morgan and so on. Are they really looking to hire you or…

Sure, LinkedIn is used for hiring and I know of more than a few people who have found a job on the popular social networking website. But that fact has also brought many scammers on board.

Different kinds of phishing

As you probably already know, phishing (pronounced “fishing”) involves sending a deceptive message (or more of them) with an intention to persuade potential victims to hand over their personal information.

A more targeted attack is called spear phishing and it tends to go for specific individuals or groups of people. To make these attacks successful, hackers spend time studying individuals, gathering data on them in order to send specific messages that they’re more likely to be opened.

Then there is “smishing,” which involves “mobile scams,” with the attacker sending the victim a series of SMS messages to get his/her personal information.

Finally, and this is what this article is all about, we have “vishing” – which goes beyond emails, SMS and instant messages to also include phone calls.

Typically, vishing includes fake phone calls from a trusted institution such as a bank. During that call, the attacker will ask you to confirm private details such as your account number and card information. The irony is that these calls tend to include a warning that your account has been compromised and that’s why you have to confirm your information. In reality though, all the victim is doing is handing over those details to the nasty criminal.

Why makes vishing so dangerous?

You can easily ignore texts and emails, but with phone calls – it is different. If you do respond to the call and hear a nice voice on the other end of the line, you may be convinced that something has really happened.

Nevertheless, you should know that your bank would never, ever ask for your personal information — let alone financial details — over a phone. If there is some problem, they may call to inform you about it, but will tell you to visit a local branch or login to the online banking account to make changes. There is a reason why you get to either choose your password or they give it to you in an envelope even their employees can’t see. The security of those details is paramount for every bank – and (again) they would never ask for that information in a phone call.

Which leads us to the next section…

How do scammers get your/our details?

Social media may have its benefits as it allows you to re-connect with people you haven’t been in touch with for a while, but this same capability lets savvy scammers get ahold of our personal information. So they’re befriending anyone and everyone in order to get their details.

Another way to get some information on users is to outright buy such lists. And we’re sad to say there are many sites out there offering these sorts of documents. Heck, some sites even let you filter their offerings by country, region and other criteria — which in the end provides scammers with a more potent list of targets.

These hackers use different techniques to get that information before making it available to third parties (for a fee). One way is to scrap social media websites and the other is to straight out hack companies’ websites that are known to have users’ personal information. Beyond social media websites, these would also include banks, insurance companies, and so on.

It is known that more than 100 million sets of account details were stolen in 2012, then 500 million in May 2016, and 700 million a mere two months later. The details stolen include details such as names, gender, email addresses, phone numbers, and so on.

Equipped with this sort of information, scammers can make all kinds of phishing attacks, vishing included.

How to spot a vishing scam?

As we are always saying, your best defense against all kinds of phishing attacks is your brain. You will have to ask yourself whether some offer is too good to be true, and if you suspect only a tiny bit – you should use the good ol’ phone to check out with the institution/company that is apparently looking for your services. Not the number that called you, but a different one – the one that is placed on the company’s official website.

Tell them that someone from their company has contacted you with an offer and see whether they know anything about it. Chances are, you won’t be the only one making such a call and they’ll know what’s going on — i.e. whether the offer is real or is it a scam.

Nevertheless, you should by no means provide any logins, passwords, financial details and other such information in a phone call. No reputable business would ask you for that.

And that’s the point that is worth repeating. Yes, you may think that you’re getting a great offer, but as it usually goes — if it’s too good to be true, chances are that is indeed the case. So go easy with your expectations and assume there are many scammers out there. That, unfortunately, is the world we live in.