It's a common scenario. Someone visits a social media platform and clicks an enticing link — only to see a blue screen appear with a warning message to call the toll-free number displayed to repair a serious computer problem.
A pleasant technician answers the phone, more than willing to help — for a price. After credit card information is provided to pay for the software to solve the computer problem, the con is complete, and the victim pays dearly.
The software doesn't work, and the helpful technician disappears, never to be heard from again. The user has become another victim of a malicious practice called "vishing".
Most people have heard of “phishing”. Phishing involves enticing email or text messages into clicking on links to files or websites that harbor malware. The links may also appear in online advertisements that target consumers.
Vishing uses verbal scams to trick people into doing things they believe are in their best interests. Vishing often picks up where phishing leaves off.
In the example above, the victim clicked on a link for an online advertisement related to personal interests. Malware embedded in the link triggered a lock-up that only the helpful "technician" on the other end of the phone could fix. It will cost the victim some amount of money to remediate the problem. Of course, it was all a scam, and the technician’s "company" was the actual source of the problem.
Credit card fraud in 2015 was a $16 billion business globally, and vishing came in at $1 billion, according to the BBC. Essentially, vishing can occur anytime perpetrators gain access to victims' personal information.
Cybercriminals deliberately create conditions designed to con unsuspecting victims into willingly handing over valuable personal details, such as full names, addresses, phone numbers, and credit card numbers.
With that information, cybercriminals can initiate numerous fraudulent charges, starting with fake fees for computer repairs or antivirus software, depending on the scam.
Vishing thrives when cybercriminals have a modicum of information about a user's interests. They take advantage of this knowledge to create a sense of urgency involving a problem in the victim's life, and then they step in to save the day by offering a simple solution to the problem in soothing tones.
It's sometimes difficult for people to tell when they are being vished. Victims often don't realize the helpful person on the other end of the phone is conning them until after they've handed over their credentials. However, there are some warning signs that can help them spot potential frauds.
In many cases, callers are self-appointed experts or authorities in their fields. They can masquerade as computer technicians, bankers, police, or even victims themselves.
However, if these callers are legitimate, it shouldn't be difficult to authenticate their professional affiliation with a simple phone call. If they can't — or won't — provide the information necessary to verify their identity, they can't be trusted. If they do provide contact info, it's still important to independently verify the legitimacy by using an official public phone number to call the organization in question.
Although it's tempting to give in under pressure, a frantic sense of urgency is a huge red flag. Users should take a couple of deep breaths, and then write down any information the person provides on the call — without providing any details of their own. Again, they can access third-party sources to find a public phone number to call for verification.
Recipients of these calls also shouldn't click on links in emails (phishing) or in mobile phone SMS text messages (SMiShing) the person on the phone might send. Any correspondence is likely to contain "hooks" that download malware that could take control of computer systems, steal user credentials, and even spy on users.
If consumers receive unsolicited calls from anyone offering any type of computer service, they shouldn’t attempt to call back using the same phone on which they received the call.
Phone technology now exists that locks a victim's phone line after hanging up and redirects their next calls to the fraudulent caller. People who believe an issue could be authentic should use another phone to call a publicly acknowledged phone number.
A real technician who steps in to salvage a computer after a malware incident would strongly advise consumers to change passwords on accounts, notify their banks and credit card companies, and monitor financial transactions closely. Consumers in the U.S. should also report vishing calls to The Federal Trade Commision online or at (888) 382-1222. The FBI's Internet Crime Complaint Center also handles vishing investigations.
Although vishing and its online cousin phishing aren't going away anytime soon, vigilance and a strong dose of skepticism can help reduce the risk of loss from these types of scams.