What is vishing?
Your phone rings and someone on the other end introduces them self as calling from a well-known company. Are they really? Or is this a scammer?
Vishing, a combination of “voice” and “phishing”, is a phone scam designed to get you to share personal information. The call is designed to instil FUD (fear, uncertainty and doubt) in your mind, usually in the form of urgency and panic.
During a vishing call, the scammer will try to use social engineering techniques to get you to give them personal details, for example, your bank account or login details.
Common calls include:
- Microsoft help desk claiming that there are problems with your computer.
- BT Internet claiming that there is a problem with payment for your phone or internet connection, or that your internet connection is being used by a hacker or for spreading malware.
- Your bank, claiming that your account has been compromised and that you need to move all your money somewhere else for “safe keeping”.
Many vishing calls are easy to spot as the person calling has a strong Indian accent, has your name wrong or, if you ask what number was dialled, either leaves out the leading 0 or starts the number with +44. More difficult ones could be claiming to be a government agency doing research into cybersecurity. Remember, legitimate callers (for example banks, internet/media providers, etc.) will never ask for PINs or passwords.
What can you do?
Hang up. If you have any suspicion that this might be a vishing call, just hang up. Usually, the scammer will move on to someone more gullible.
If the call is from an organisation that you do have a relationship with (for example your credit card company), ask for the person’s name and say you’ll call them back. Hang up and call them on the phone number that you know and ask to speak to the same person.
If it’s a call from someone you don’t know, but you think may be legitimate, get the person’s name and say you’ll call them back. Then search the web for that organisation and use the phone number there. I had this with a government department that was doing a cybersecurity survey. I took the caller’s name, hung up and looked up the department’s switchboard number. When I called it, I asked to speak to this person. I was put through and spoke to the same person.
Remember, if in doubt, hang up. If the caller starts asking for any information that you are not comfortable sharing (including usernames, passwords, PINs, etc.) just say no. If they persist, hang up.
Do you want to learn more?
Network Midlands runs seminars to help people detect and defeat social engineering attacks. Find out more at “The Art of Deception“.