Blog
Vishing attacks are on the rise, and they can be devastating to businesses and individuals alike. Here's what you need to know about this type of attack and how you can protect yourself and your organization.
Vishing is like phishing, which involves stealing victims’ credentials through email or SMS. But instead of email, vishing uses voice to trick victims into parting with sensitive information.
What is vishing?
Vishing is the blending of two words: Voice and Phishing. In vishing, a scammer uses a mix of social engineering and psychological conning to trick you into sharing personal data. They mainly target your account numbers, login credentials, PIN details, and OTPs. Some common examples of vishing are:
Tech support fraud
Bank impersonation fraud
Telemarketing attack
Government representative fraud
How does vishing work?
Scammers thoroughly study potential victims, which is why they attempt to conceal their identities and locations as much as possible. They use Caller ID Spoofing software to trick people into believing they are receiving a call from a legitimate business. Once they establish contact, they play up fears by claiming the victim’s data is at risk.
The warnings range from claims about the imminent expiry of ATM cards or threats to the bank or social media accounts. Once the victims panic, the scammers win their confidence by offering to walk them through the steps needed to resolve the issue.
Vishing techniques
Vishing attackers use several techniques to phish information. Here are some of the most common techniques.
War-dialing
uses technology and software-driven calls to dial various numbers within specific area codes. When a victim answers the call, an automated voice message asks the person to spell out their full name and provide credit card details.
VoIP i
s another easy means to create spoofed numbers and skim information over voice calls. VoIP-generated fake numbers are hard to track and are often used to imitate local phone numbers. Some cybercriminals generate VoIP numbers to appear to be coming from government departments.
Caller ID Spoofing
is similar to VoIP-based vishing, where the scammer hides behind a fake phone number and pretends to be a legitimate caller. In this technique, they inscribe their names as ‘Unknown’ and pretend to represent a legitimate caller. They mimic the number to make them appear to be from legitimate organizations such as tax departments, hospitals, police departments, etc.
Common vishing scams
Supposed fraud or suspicious activity on your credit card or bank account
Overdue or unpaid taxes from CRA
You are a contest winner
Tech support to fix an issue on your computer
An international package stuck at customs or issue with delivery
A supposed warrant out for your arrest
Emergency response benefit relief fund
How to protect against vishing attacks
There are various steps you can take to protect against vishing attacks. Below are some of the best practices:
Don't provide any information over the phone
If you notice a delay of 2-3 seconds before a live person speaks, it may be an auto-dialer system
A legitimate caller will not hesitate before authenticating their professional affiliations. A scammer, however, will b reluctant to confirm their identity, web address, and online verification details.
Avoid answering unknown phone calls. Let the phone ring and then go to the voicemail. From there, you can listen to the message and determine if it is legitimate or not.
What to do if you provide sensitive information to a scammer
If you have provided sensitive information to a scammer, call your financial institution and ask to cancel your credit card, change your account number or block fraudulent transactions. You can also file a complaint to the Fraud Reporting System (Canadian Anti-Fraud Centre) or call toll-free at 1-888-495-8501.
You can also file a misleading or deceptive marketing report with the Competition Bureau using the online complaint form.
Final thoughts
The most efficient way to protect yourself against scammers is to be suspicious of any phone call where the caller asks you to provide sensitive information, including your name. If you are unsure about the legitimacy of a call, ask for the caller’s name, company, and contact information. Once you have this information, hang up and call the company back using a number you know to be legitimate. This would allow you to confirm whether or not the call was legitimate and take appropriate action if it was not.