Social Engineering Alert: Vishing Scams on the Rise
The phone rings, you answer. Who’s on the other end of the line? The reality is, unless you personally know the caller, you can’t be sure.
In the past few months, I’ve received any number of phony phone calls. Known as “vishing” (a shortened term for “voice phishing”), this social engineering technique has gained a lot of ground in recent years. You might be surprised to learn this; after all, voice-to-voice calls are decidedly low-tech in comparison to other communication channels open to scammers.
But that is actually part of the appeal. After all, how hard is it to pick up the phone and ask for something? Not hard at all. And the relative anonymity of the connection is a major plus. You can claim to be anyone over the phone. In the last week alone, I’ve had calls from “Bob from Microsoft,” “Susie from cardholder services,” and “Nancy, a representative of the major credit card companies.” Not one of these people were who they claimed to be.
It Could Happen to You
But you’re too savvy to fall for a vishing attack, right? Maybe. But even if you do dodge that bullet, are you just as confident in your coworkers’ or employees’ abilities to do the same? How about your parents, spouse, or children? Because if they fall, you’re likely to feel the impact.
Vishing is certainly a costly problem. A recent study by Truecaller, which describes itself as the world’s largest verified mobile phone community, revealed that approximately 17.6 million Americans were victims of phishing scams in 2013. The price tag? An estimated (and whopping) $8.6 billion, with the average amount lost clocking in at just under $489 per victim.
Here’s a rundown of a few recent scams that are making headlines globally:
- Since October 2013, the U.S. Internal Revenue Service has been receiving reports about fraudsters impersonating IRS agents and demanding bogus payments. As of late August, approximately 1,100 victims had lost an estimated $5 million from these scams.
- In Scotland, 26 people lost a total of £1.3 million in a vishing scam that was executed over a few months. Victims believed they were speaking with a member of their bank’s fraud department, who claimed an account had been “compromised.” The scammers urged the victims to transfer funds to a “safe” account — which was immediately emptied. The largest amount lost by a single victim was £163,499; the lowest was £16,000.
- According to Financial Fraud Action UK, industry losses to phone banking fraud totaled more than £65 million from 2009 through 2013.
How You Can Stay Safe
Perhaps the best bit of advice that can be offered is “think before you speak” (words to live by, really). As is the case with many social engineering scams, fraudsters want to spur immediate action, to get people to act before they think things through. Though the end games of different phone scams may vary, there are common threads in these types of attacks:
- Scare tactics – Your bank account is frozen…your account shows unauthorized activity…you owe money and you need to pay now before something bad happens. These claims often prompt victims to act first and ask questions later — a recipe for disaster.
- Prizes and special offers — You’ve won a free trip to the Bahamas! Only…not really. Generally, promises of “free” gifts are followed in short order by requests for credit card numbers. Keep it in perspective; if it seems too good to be true, it probably is. (More words to live by.)
- Spoofed caller ID – If the caller ID says it’s the IRS, it’s the IRS, right? Wrong. Fraudsters can rather easily manipulate standard caller ID services. They can even make it look like your own phone number is calling you (a simple trick to get you to pick up the phone and engage with the caller).
If you’re in doubt about the authenticity of a caller you’re speaking with, do the simple thing: hang up the phone. It’s the easiest way to avoid becoming the victim of a phone scam.
Want to learn how to protect your employees from vishing attacks and other threats? Check out a demo of our Social Engineering Training.
Subscribe to the Proofpoint Blog