Hi, It’s Your Bank Calling
So, you receive a call and it’s a local number or it’s the phone number of your bank, should you answer it or let go to voicemail? But the caller ID looks familiar, so you answer. Can you trust that the person that is calling is who they say they are? Was this a sales call, a real call or something called vishing?
Many people reason that if the number is showing as a known number, then the attacker is who they say they are. However, the recipient maybe unaware that the caller is looking to vish them. If you are unfamiliar with what vishing is, it is defined, according to The Social Engineering Framework, as the practice of eliciting information or attempting to influence action via the telephone. Vishing can literally be designed as voice phishing. The goal of vishing is similar to phishing in that it is to obtain valuable information that could contribute to the direct compromise of an organization or individual. Attackers can “spoof” their outgoing phone number to appear like a known number and pose as an authority figure, technician, or fellow employee in order to obtain sensitive information that could lead to the compromise of an organization or clean out your bank account.
Vishing has become one of the tools of choice by cybercriminals. An article from Fortune mentioned that the volume of mobile scam calls has increased from 3.7% of total calls in 2017 to 29.2% in 2018. They predict that the number will exceed 44% by early 2019.
Learn By Example
To get an idea of what the scammers are doing, let’s look at some incidents that have been reported:
An article by WHNT News 19 discussed how an FBI agent’s mother fell for a call from someone pretending to be a relative that had a DUI and needed money. It also discussed how hundreds of credit union’s clients received fraudulent calls from fraudsters spoofing bank numbers and asking them to validate their cards by providing the 3 numbers on the back.
Another incident involved someone claiming to be from the Woodburn, Oregon police department that called and told the victim to call a second number. That number belonged to a person who claimed to be an attorney for the police department.
The alleged-attorney then directed the person to remain on the phone, go to a retail location, and buy a prepaid debit card to clear their fake warrant. When the person, being directed by the fake-attorney, arrived at the store, a store employee told the person it was a scam. The phone call was then ended. The fraudulent caller used a fake caller ID showing the actual Woodburn PD number.
Some additional scams are the IRS Scam, the Kidnapping Scam, the Social Security Scam, and the Tech Support Scam:
- The IRS Scam involves someone who is pretending to be an agent of the IRS, they tell you they have a warrant for your arrest unless you pay some money immediately.
- The Kidnapping Scam is where the scammer tells you he has kidnapped a family member, and that you need to make immediate payment for their release.
- The Social Security Scam comes in many forms. One variant is where the caller poses as an SSA employee and needs personal information to round out your file. Another is you’re told that the SSA wants to increase your benefit payment but needs additional information to do so. A third variant involves a threat of stopping your Social Security benefits if you don’t give them the requested information.
- The Tech Support Scam is where the caller attempts to have you pay for fraudulent tech support. Many of my friends have dealt with this and, unfortunately, two of them even fell for the call and paid money to the scammer.
“I’ll never fall for that”
You may reason that you are too tech savvy to become a victim of a vishing call. Many think that way and in the article Voice Phishing Scams Are Getting More Clever by Brian Krebs, he relates several experiences of tech savvy people that either fell for a scam or came critically close to falling for one.
What is it that makes people, even tech savvy people, fall for these calls? Let’s break down the call and see:
- The caller ID looks familiar;
- The caller is persistent, calling back multiple times, creating a sense of urgency or importance to get you to answer;
- The caller uses a pretext that sounds believable;
- The caller uses rapport and trust to convince you that everything they do and say is for your best interest;
- The caller has personal information on you that you believe only the legitimate company would know. Information such as the last 4 digits of your credit card or Social Security number;
When you combine all these points and the fact that the caller will do all they can to influence you into giving them the information they need, even the most tech savvy person may fall for the call.
Do I need to answer?
What should you do to keep from becoming a victim of vishing? Corporations can help their employees by including vishing training as part of their security awareness program. Training employees to report any suspicious work calls to the appropriate team at the company. As an individual, if the call isn’t from someone in your contacts, let the call go to voicemail. You don’t have to answer every phone call. But if you really feel the need to answer the call then apply the following strategies:
- Trust your gut. Most of the time, if a call is making you uncomfortable, realize you are probably right. Hang up and report the call.
- If the caller says they are from your bank, hang up and call the number on the back of your card.
- If the caller says he is a vendor or client, hang up and call a known number for that entity.
- If any caller asks you for PII (personal identifying information) do not give anything to any unverified user, despite the threats they may say.
- If you receive an urgent call from a supposed family member that had something tragic occur, call that family member or other close relatives to verify the story directly before you wire or send any money. (Do this even if they beg you not to)
Remember, scammers want to drive you to react emotionally, so if you receive a possible vishing call take pause, breathe, and take a moment to get your critical thinking back in place before you are manipulated into making a poor decision.
Keep these tips in mind as you keep your family, finances and personal information secure and safe from malicious vishers.
Stay safe and secure,
Written By: Mike Hadnagy