Vishing, or voice phishing, is not a new phenomenon. We use the term vishing to describe a kind of social engineering attack that happens over the phone, rather than through other forms of communication like email.
Vishing attacks can involve someone actually speaking on the line or it may be a recorded message asking you to pass on information or press a key on your dial pad.
Just like phishing and smishing, vishing is another method hackers will use to get hold of a person’s sensitive information, often their bank details, or trick their victims into making an upfront payment.
In the UK, these kinds of attacks are on the rise, in fact, vishing attacks had risen by 83% in 2020.
How do hackers trick you?
Social engineering methods like vishing tend to play with a person’s emotions in one way or another, often using scare tactics or making you think you’ve won an exclusive prize, because hackers know this is the best way to encourage humans to make mistakes.
When we’re being told our money is at risk, for example, the instinct is to panic and act straight away to try and fix the situation. The hacker will lead you to believe that they have the simple answer, and in this panicked state, that’s all we want to hear.
The situation is arguably worse when on the phone because we have less time to think. Phone scammers will often speak with urgency using confusing terms and ‘official’ organisations you may never have heard of to make you feel more compelled to act hastily.
There are hundreds of different vishing scams out there, so it can be hard to know when you’re being targeted.
- Lottery/prize draw: You get told you’ve won a prize but certain legal and tax fees need to be paid before the winnings are released
- HMRC vishing: You get told that you’re due a tax refund or a lawsuit is being filed against you
- Bank Impersonations: You get told there’s a problem with your account and you need to update payment details or confirm private information
- Tech support: You get told your computer has a virus and you need to install some software to get rid of it (hint: this is actually malware)
- Medical help: You get told you’re eligible for a free treatment or miracle cure but of course you have to send some money to secure it.
- Business support: You get told you can make money working from home or starting a business but will make you pay an advance fee and perhaps get others to sign up to the scheme, before never actually paying you for the work you do.
The list can go on and on, but you get the idea. Vishing hackers can get very creative!
Are vishing attacks hard to spot?
It can definitely be difficult to know when you’re being targeted by vishing. If you consider that 97% of targeted users can’t identify a sophisticated phishing email, you can appreciate just how easy it might be for these kinds of attacks to sneak under the radar and fool people.
Clever spoofing technology has now made it even harder to spot when you’re being scammed. Hackers can make the caller ID appear as if it’s from a certain business or individual so you’ll pick up and assume that’s who you’re talking to.
Because of vulnerabilities in the UK telephone network systems, hackers can steal a presentation number and link it to their own and there’s no way of the phone network knowing it's illegitimate. This can even be done from a different country altogether; you’ll only see what the hacker wants you to see.
Deepfake audio and other VoIP features can also help to trick listeners into believing they’re being contacted by a trusted source.
In 2019, fraudsters used AI to impersonate the voice of a UK energy company’s CEO, resulting in a loss of around £200,000.
Robo-calling
Some vishing attacks rely on automated voice messages rather than an actual person on the other end of the line. These are often called robocalls and they make it easy to reach a much larger number of people, millions a day.
They may ask you to respond to questions, starting with a simple ‘can you hear me?’. Instinctively you might say yes, but this confirmation will likely be recorded at the other end and can then be used for further fraudulent activities.
You may also be asked to press a number on the dial pad, but this can connect you to a high-cost premium number as well as marking you as an active user, so you’re more likely to be targeted again in the future.
Some robo calls can be legitimate, for example, a reminder of a flight or appointment, but if it’s unexpected information you hear from a recorded voice on the line and it wants you to engage, it’s always best to stay silent.
Signs of a fraudulent phone call
While vishing attempts can be very sophisticated and hard to spot, there are certain things to look out for that you should be wary of.
In general, it’s a good idea to be sceptical of any phone call out of the blue, even if they claim to be from a legitimate company you trust. We’ve already established that checking the caller ID is of little help, as this could well match the company they’re purporting to be.
If the caller is giving you worrying news, like your account has been compromised, take a breath before reacting. Hackers don’t want to give you space to think; they just want you to panic. They may talk quickly at you and request information so they can ensure your money stays safe.
On the other hand, it may be great news! But if it’s too good to be true, it probably isn’t. As exciting as it is to hear you’ve won something, try to be realistic - if you haven’t entered a lottery, you probably haven’t won it!
Legitimate organisations will not unexpectedly ask for sensitive information over the phone, so that should always be your first red flag. Even if they aren’t asking for banking details, your data is valuable and can be used in lots of different ways to exploit you further.
They may already have some information on you and use that to try to prove their legitimacy, but don’t be fooled by this either.
If you’re not 100% sure of who you are speaking to, simply hanging up the phone is your best course of action. Remember you don’t owe the caller anything.
You can even say to them that you’d like to call the company back yourself for security reasons.
Then you can dial the company’s number published on their website and establish whether or not you have been the victim of a vishing attempt.
Next steps…
If you make contact with the company and discover it was indeed a vishing attack, informing the company will allow them to take the necessary action sooner rather than later.
You can report instances of vishing to Action Fraud, the ICO or via a form on the FCA’s website to help alert the relevant authorities. They may have knowledge of the issue already but if not they can begin investigations and avoid it happening to more people.
Finally, take advantage of phone blocking and privacy services from your phone provider and block spam calls. You can also register your number on the TPS register to avoid being contacted by people you don’t know or trust.