What Is Vishing?
Vishing is a form of fraud where a fraudster poses as a reputable company and makes phone calls or leaves voicemail messages for their victims. The fraudster’s goal is to get the victim to reveal their personal information. Vishing is a type of social engineering attack.
While vishing does not require fraudsters to have particularly strong technical skills, it is often combined with other fraudulent practices that do – for example, by combining it with the creation of a botnet using a worm as part of a blended threat.
Vishing is a form of phishing – voice phishing – where criminals use a range of methods to try and trick a target into sharing personal details. Phishing can include the use of emails, phone calls and voice messages (vishing), and SMS and other messaging services (known as smishing).
Once the fraudster obtains the victim’s information via the vishing scam, they can use this for a range of purposes, from making purchases and withdrawals to carding.
Partner with SEON to reduce fraud rates in your business with real-time data enrichment, whitebox machine learning, and advanced APIs.
Ask an Expert
How Does Vishing Work?
There are clear stages to the vishing process:
· obtaining the target’s phone number – often through phishing emails
· calling the target while using a fake caller ID to pose as a legitimate business
· putting pressure on the victim to act fast, for example by telling the victim someone has used their card and they need to act swiftly to block it
The time pressure used during this final step is crucial. The victim doesn’t have time to think about the personal information they are handing over until it is too late.
Four Common Vishing Techniques
Fraudsters use a range of vishing techniques to attempt to obtain their victims’ personal details. These include wardialing, Voice over Internet Protocol (VoIP) vishing, caller ID spoofing, and dumpster diving. Between these and other techniques, more than 59.4 million Americans were victims of vishing in 2021. 69% of companies reported vishing attacks during that year – up from 54% in 2020.
Wardialing
Wardialing involves automatically scanning large lists of telephone numbers, for example by dialing every number within a particular local area code. Voicemail greetings that are captured may reveal an individual’s name, which means the fraudster then has a list of numbers and names to work with.
VoIP
Fraudsters can use VoIP to create fake numbers, including numbers that appear to be local to the target’s location. These can help fraudsters to appear as though they are calling from a genuine local business. Plus, they are almost impossible to trace, meaning that fraudsters have less chance of being caught.
Caller ID Spoofing
Caller ID spoofing enables fraudsters to pretend that they are calling from a legitimate business number. This can help to fool the victim into believing they are talking to a genuine representative of a bank, credit card provider, or other company.
Dumpster Diving
Computer recycling bins can provide fraudsters with a whole host of information that they can use in a vishing attack to convince their target to trust them. Both personal computers and company machines can be treasure troves of such information.
Common Vishing Scams
Fraudsters can use the above techniques to carry out a range of vishing scams. Here are some of the most common vishing scam examples.
“Compromised” Bank or Credit Card Account
One common scam that fraudsters use is to call the target and tell them that either their bank account or credit card has been compromised. They panic the victim by telling them that unauthorized purchases or withdrawals have been made, pushing the victim to “confirm” details such as account numbers, address details, and more. Between spoofing the phone number they are calling from (to look like the call is from a genuine bank’s or credit card company’s number) and using time pressure, this can be a very effective vishing scam.
Fraudsters can use the “compromised” account scam on both private individuals and employees. As such, companies need to ensure that any employees with access to bank accounts or company card details are aware of the potential danger that vishing poses.
Unsolicited Loan or Investment Offers
Another common vishing scam is where the fraudster offers the target an unsolicited loan, credit card, or investment opportunity. Usually, the terms are particularly favorable, such as a low interest rate or long interest-free period for a loan or credit card, or the chance for fast, impressive returns from an investment. The fraudster tells the victim that this particular offer is only available for a very short time, so they must act fast in order to take advantage of it – including handing over their personal details in order to take out the loan, card, or investment. Once again, it is time pressure that encourages the victim to act quickly and hand over their details without thinking through what they are doing.
Medicare or Social Security Scam
This scam sees the fraudster tell the victim that there is an urgent problem with their Medicare or Social Security number. If the victim doesn’t help sort the issue out quickly, there will likely be serious consequences. They just have to confirm a few details first – things like their full name, date of birth, address, Social Security number, Medicare number, and so on.
IRS Tax Scam
A range of vishing scams involve fraudsters posing as representatives of the Internal Revenue Service (IRS) or other governmental department. They might claim that there is a problem with a tax filing, that the victim is due a refund, or that there is an overdue payment. In all of these cases, they put pressure on the victim to act fast, with that action involving confirming numerous personal details.
Refund Scam
To carry out the refund vishing scam, the fraudster tells the victim they are due a refund from a legitimate company. All that is needed are a few personal details to confirm and process the refund – all of which must be done urgently so that the refund can be processed before a short deadline runs out.
A similar scam to this is where the fraudster tells the victim they have won a prize, rather than a refund. Again, all they must do to claim it is to hand over their details before a looming deadline.
Learn how SEON’s APIs work, their benefits, and how they can stop fraud at your company.
Ask an Expert
How to Spot a Vishing Scam
Businesses can support their employees to spot the signs of vishing scams so that individuals are alert to anything suspicious. Key things to consider include:
Unsolicited calls | If the call isn’t expected, count that as the first alarm bell. |
Computerized calls | If there’s a real problem with an account, the company responsible for it won’t use an automated calling service. You’ll get a call from a real person, not a machine. |
Requests for information | Genuine callers from banks, credit card companies, government departments, and so on will not ask for things like bank account details or Social Security numbers. |
Time pressure | If the person calling tells you that you must act fast or there will be serious consequences, be skeptical and pause. |
Unrealistic offers | From amazing terms for loans to investment opportunities with outstanding returns, if it sounds like a deal is unrealistically good, that’s probably because it isn’t actually real. |
How to Protect Against Vishing
The first step in protecting against vishing is to raise awareness of it. Businesses should include information on vishing (along with phishing and smishing) as part of regular cybersecurity awareness training for their teams.
Companies should also have procedures in place to ensure that any attempts at vishing fail. They should, for example, require employees to verify the identity of any unsolicited callers by calling them back – and not on a number provided by the caller. Employees should also be clear that they are never permitted to share certain pieces of information over the telephone, such as company card or bank details. And they should report any suspicious calls following company procedures.
Individuals should follow these guidelines too, in terms of verifying the caller’s identity and not sharing their details, to minimize their chances of becoming a vishing victim.