Phishing returns to its roots

How scammers use voice calls for phishing.

Vishing is phishing using voice calls. We explain why vishing has become the most common type of fraud and how you can protect yourself.

Between tech support requesting access to your computer, concerned tax services specialists demanding payments, medical equipment suppliers “returning your call,” and many more — none legitimate — it’s a wonder anyone even answers their phone anymore. You’d be hard-pressed to find someone who hasn’t experienced some form of phone scam, although the name for it isn’t as well-known: vishing.

What is vishing?

Vishing is short for voice plus phishing (as smishing is SMS + phishing), and, aided by the mass transition to remote work, it has turned the phone into a major weapon of fraud, to the extent that law-enforcement agencies now periodically release official announcements about the danger.

According to 2019 data from the US Federal Trade Commission, only 6% of scam calls ended in financial loss. Nevertheless, when it happened, the damage was quite significant, with a median value of $960.

Anyone can fall for a scammer’s bait, even experts who think they’ve seen it all. Many fraudsters are excellent at gaining the confidence of even the most vigilant target.

On the one hand, vishing is more conservative than regular phishing, because the telephone itself is an older means of communication. On the other hand, massive data leaks in the digital age have lent voice scams new power: Never before have scammers been in possession of such volumes of information about almost everyone on the planet. The proliferation of Internet telephony (VoIP) further plays into the hands of cybercriminals, enabling them to manipulate phone numbers and cover their tracks.

Types of scam calls

Scammers can say just about anything on a call, but their attempts tend to fall into a few main categories.

Telemarketing

Telemarketing fraud tends to involve offers too good to be true and pressure too time-sensitive to end well. Some examples include winning the lottery (bonus points it you didn’t even buy a ticket), a reduced credit card interest rate, and other lucrative offers that are hard to refuse. They tend to have in common the need to make a decision on the spot, plus a small advance payment from you to them.

If you have the time to think about the offer, it’s (usually) clearly fraudulent. If you make the payment, it’ll just go to the scammers, literally rewarding them for their crime and also reinforcing the value of using leaked databases of phone numbers to call and defraud thousands more people.

Government agency

One of the most common schemes involves allegedly unpaid or underpaid taxes. A “tax office” initiates the call and provides a choice: Pay the arrears or face a fine. The offer expires soon, after which the fine will increase.

Again, adding time-sensitivity works. Given time to think about how tax agencies communicate with citizens, not to mention their deadline structures, the average citizen could probably figure out that such calls are fraudulent. Faced with a ticking clock and (apparently) a government agency known for strictness, however, adjusts the odds in scammers’ favor.

Technical support

For unsolicited tech-support calls, scammers choose large, well-known brands to increase the chances of connecting with an actual user of the product. The caller typically claims to have found an issue with the victim’s computer and asks for login credentials or remote access to their computer.

A more sophisticated scheme involves some preparation, for example, infecting a computer with malware that invokes a pop-up window with a description of the alleged problem and a phone number to call to get it fixed.

Bank

The ultimate object of any scam is money, so of course some fraudsters pretend to call from banks. Generally, they claim to be reporting suspicious account activity, which in reality gives them cover to request details such as a CVC/CVV code or a one-time passcode from a text message. Armed with such details, the fake bank employee can easily clean out an account for real.

How to recognize scam calls

We can’t discount the notion that scammers, always on the lookout for more-convincing hooks, might someday learn from fraud’s rich history of tells, but most scams exhibit at least one of several red flags.

  • If a call supposedly from a bank or government agency comes from a cell number, it’s almost certainly vishing. Double those odds if the phone number is from a different region. However, an official-looking number is no guarantee of a legitimate call; modern technologies allow caller ID spoofing.
  • If a caller tries to extract confidential information, especially in a threatening manner, that too is a sign of vishing. In general, any attempt to find out private information is an indication of fraud: any information a real bank or tax office employee needs about you, they probably already have — remember, we’re talking about communication they initiated, not you.
  • If someone urges you to make a monetary transaction and cites a deadline, it’s definitely a scam.
  • If a caller tries to persuade you to install software on your computer to fix some problem they called to tell you about, it will probably end badly for you.

Finally, an indirect but still reliable sign of vishing is if the caller gets confused, misspeaks, is hostile, or uses slang expressions. We have nothing against everyday speech, of course, but real operators are generally trained to use professional language.

How to guard against scam calls

If you spot at least one of the above red flags, the best option is simply to end the conversation. After that, call the company or organization that supposedly just called you and report the incident — the more information they collect, the more likely they are to catch, or at least hinder, the fraudsters. Look up the tech or customer support number separately, for example by going to the organization’s official website.

In addition, resolutely avoid installing remote access programs on your computer, however convincing any caller may be, and use a reliable security solution that detects dangerous applications in good time and warns you about them.

Tips