Nearly 1 in 3 people who lost approx. $1000 in vishing scams thought they were talking to a business representative of a legit company. Let’s explore what is voice phishing with some relevant examples
Vishing means voice + phishing. Voice phishing is a type of mobile phishing scam in which an attacker directly calls a targeted victim posing as someone else to dupe them. Attackers pretend to be a representative of a company that the victim trusts, such as a
- Insurance company
- Ecommerce site
- Government agency
- Vendor/supplier, etc.
Scammers trick victims into sharing their personal and confidential information, payment card numbers, bank information, one-time password (OTP), social security number, income information, etc. Attackers use this information for identity theft-related cybercrimes or sell them to the dark market to other hackers. They might also convince people to do a financial transection or download malware. A vishing scam can be part of a bigger phishing scheme, too. For example, defrauders call their targets and ask them to open the link they have sent on their emails. This link redirects victims to a phishing site that looks like a replica of a well-known site or downloads malware on victims’ devices.
There are two main types of vishing calls
2) Targeted Calls: Here, the hackers spend time gathering a few key details about you. Such as finding out information about your employer, colleagues, vendors, suppliers, etc., or the enterprises you deal with like ecommerce sites, banks, insurance companies, utility providers, etc. These types of calls are well-planned and customized. When the attacker calls, they provide you some of their researched information about yourself to sound genuine—for example, your electricity bill number or the last four digits of your credit card number. Once you trust them, they try to abstract more sensitive information about you or do a financial transaction on your behalf.
Now, let’s check out the below voice phishing examples to understand what types of tricks con artists use to defraud people via vishing attacks.
Voice Phishing Examples
1. Know your client (KYC) Vishing Scams
Know your client or know your customer, i.e., KYC is a mandatory procedure for any financial institute to perform before doing business with a person or business entity. KYC generally includes verifying government-issued documents, checking credit scores, verifying income, etc. Plus, KYC must be updated from time to time.
Scammers call victims posing as financial institution representatives and ask them to update their KYC information. They ask victims for various financial and personal information in the name of KYC update and misuse such information for deploying further scams.
There is a new KYC fraud trend in India where attackers will call the victim and tell them that their online payment account in the Paytm app will be blocked if they don’t download apps like AnyDesk or TeamViewer to verify the KYC status. Once the victim does that and provides scammers the 10-digit connection code, scammers can access the victim’s screen and monitor all their activities, passwords, OTP, etc. Check out more details here: Paytm KYC scams
2. Account Deactivation Scam
Scammers call you posing as representatives of well-known companies like Microsoft, Google, hosting account providers, cable operators, internet service providers, etc. They tell you that they have deactivated your account after noticing some suspicious activities related to your account. In order to reactivate the account, you need to verify your identity. They might ask you to provide the last four digits of your social security number, bank account number, credit card number, date of birth, etc.
Often scammers send you a link on your phone/email address and ask you to login with your credentials to check if the issue has been solved. But these websites are fake and made to steal your credentials.
3. Recruitment Voice Phishing
It is a very common practice for recruiters to call job seekers directly. But attackers deploy vishing attacks by posing as fake recruiters. Once the victim shows any interest in the fake job they are proposing, scammers dupe them in one of the following ways…
- Sending a malicious link as a “job description” to the victim’s email address. But these links redirect victims to a malicious site.
- Asking victims to appear on an employment-related test. To do so, they need to download special supporting software, which scammers send to the victim’s mobile device or email. But the scam is that this software is a trojan horse.
- Asking job seekers for money to have the application or pre-employment processed for verification procedures.
- Tricking job seekers into sharing their confidential documents as a part of their background verification process.
4. Internal Revenue Department Fake Threats
In these types of vishing attacks, the scammers call you saying that there is an error in your tax filing, and you are supposed to pay a higher tax amount. Now, you have attracted a large penalty due to such tax omittance. They use a threatening tone as if you are a criminal to generate panic in you. Once you get scared, they tell you that they can wave off the penalty if you pay the remaining tax amount immediately. Scammers ask your payment card number and do the transaction on your behalf or ask you to transfer money on the account number they provide. But needless to say, it is a scam, and the money goes into the scammer’s account.
For such scams, attackers often target international students and threaten them by saying that any legal battles with the government will cause visa cancellation and deportation. Plus, international students might not be aware of the new countries’ taxation rate or filing system, so it is easy to convince them that they have made a mistake in tax filing. Check out this example: Scam (Fake) IRS/FBI/USCIS Phone Calls.
5. Vishing Posing as Police Department/FBI
Sometimes scammers pose themselves as a police officer and tell you that they want to talk to you about a local crime or share important information about someone in your Neighborhood. But before that, they want to verify your identity just to make sure they have called the right person. Once you believe them, they will ask for various details like your SSN, date of birth, email address, etc., that they will use for identity theft-related crime.
6. Fake Banking phone phishing
As the name suggests, attackers pose as bank employees for this scam. They tell some of these popular scam lines.
- There has been a transaction of $$ (any random dollar amount) from your account. But they found it suspicious, so they are calling you for confirmation.
- They have noticed unauthorized access from a foreign location in your bank account.
- If you pay some dollars immediately, they will be able to reduce the interest rate on your loan by some %.
- Your password is compromised, and you need to change it immediately by visiting the fake site’s link they provided.
Once you believe in any of such claims, they will either ask for various confidential information about yourself, send a link to a fake website, or ask you to transfer money to their bank accounts.
7. Government Benefits Vishing
Attackers call you pretending to be a government agency employee. They tell you that they send you checks for government benefits, pension, unemployment benefit, covid stimulus checks, etc., but they need to verify your address, email address, and bank number. They sound very professional and make you feel that it is just their standard verification process before issuing the cheque.
Final Words on Vishing Scams
According to the 2021 Insider survey, 46% of Americans received a spam call every day! It shows how aggressive con artists can be when it comes to voice phishing attacks. First of all, register your phone number to the “Do Not Call” registry. Make sure you have installed caller IDs and Voice Spam Detector (VSD) apps on your phone. Please note that no legit companies and government agencies call you directly and threaten you about the account closing, tax penalties, providing free gifts, or updating KYC. If you find any conversation suspicious, hang up the phone, open the company’s official website and make a call on the number given on the “contact us” page. And last but not the least, never share your private information on the phone. This is especially true if it is financial services related. You should rather personally visit or call the official number of your nearby bank, credit card company’s office or insurer to inquire about and solve an issue if you have the slightest doubt in the caller’s intentions.
Stop hackers from hacking your business!Get DigiCert Secure Site Pro OV SSL that includes a vulnerability scanner, malware detector, PCI scanners, website backup, multi-domain security, and many more advanced security tools.