As part of this month’s Continuing Privacy and Security Training (“CPST”), The Compliance Team sought to explain “What is Vishing?”

What is Vishing?

Vishing is a type of cybercrime aimed at stealing personal information over the phone. Vishing—a combination of “voice” and “phishing”—is a phone-based phishing scam, and criminals are usually after personal or financial information they can use to exploit you.

Because commercial and residential Voice over Internet Protocol (VoIP) users aren’t required to provide caller ID, vishing scams have become increasingly common—over 40% of all mobile calls were vishing scams in 2021. Additionally, 75% of all scam victims were called by criminals who already had their personal information.

How Does Vishing Work?

Vishing attackers typically use caller ID spoofing to make victims think a phone call is coming from a local area code or a trusted business. They usually pose as a trusted source or official entity to lure victims into handing over your personal information. They may pretend to be from your bank or credit card company, pose as a debt collector or act as a government official from the IRS.

When an unknowing victim picks up the phone, scammers will create a sense of urgency to play on their emotions and compel them to act on a request for personal information. They may say there’s a problem with one of your financial accounts that must be remedied immediately or that you have an outstanding debt you need to pay over the phone.

Vishing can take many forms, but the objective remains the same: to trick you into revealing sensitive information, whether for financial gain or to carry out another crime like identity theft.

Vishing vs. Phishing: What’s the Difference?

Phishing scams have been around since the mid-90s, but they’ve grown in sophistication over the decades. Phishing is any type of cybercrime in which criminals pose as a trustworthy source online to lure victims into handing over personal information. Phishing attacks are most often carried out by email, but as these types of scams have evolved over the years, they now take on a variety of different forms.

Vishing is essentially the phone-based version of phishing. The ultimate goal for both phishing and vishing is the same—to exploit victims in order to profit in some way, whether financially or otherwise.

Four Examples of Vishing Scams

As vishing becomes more prevalent, threat actors use a variety of techniques to lure victims into their scams. The examples below are some of the most common examples of vishing scams at work today.

  1. Bank Impersonation

Vishing scammers may impersonate your bank, credit card company or another financial institution to gain access to your financial accounts. In this scenario, the scammer typically says there has been unusual or fraudulent activity on the victim’s account, and asks the victim to confirm their bank account details, account numbers or mailing addresses.

  1. Tech Support Fraud

In this scenario, the caller will impersonate tech support from a reputable company like Google, Apple or another relevant provider. They’ll usually relay a report of suspicious activity on the victim’s account and ask to confirm their account details. They might also ask for an email address to which they can send a software update, instructing the victim to install it on their computer to avoid their account being compromised. In reality, the software update is actually a way to plant malware on the victim’s computer.

  1. Social Security or Medicare Scam

Criminals often target seniors in their attacks, and they pose as Medicare or Social Security representatives to try and glean sensitive information from victims. They might call asking for Medicare account details in order to receive a new Medicare card, or ask victims to confirm their Social Security number to avoid termination of the benefits they’re entitled to.

  1. IRS Tax Scam

This type of vishing attack usually involves a prerecorded voice message explaining an issue with the victim’s tax return. This is typically followed by a warning that if you fail to call back, a warrant will be issued for your arrest.

How To Recognize and Prevent Vishing

1.Never provide or confirm your personal information on the phone. Remember that your bank, hospital, police department, or any government department will never call you asking for your personal information.

  1. Listen very carefully to the caller. Pay attention to the language being used and think before responding. Never provide any personal information. Do not confirm your address. Be wary of threats and urgent requests.
  2. Be wary of any phone numbers the caller gives you to confirm their identity. Look up the phone number yourself and call the number using a different phone. Cybercriminals can route phone numbers and create fake numbers.
  3. Do not answer phone calls from unknown numbers. Let the call go to your voicemail and then listen to the message very carefully.
  4. Do not answer questions about your personal information, your workplace, or your home address.
  5. Ask questions. If the caller is trying to give you a free prize or sell you something, ask them for proof that you can use to verify who they are and where they work. If the caller refuses to provide this information hang up. Make sure you confirm any information the caller gives you before providing your information.
  6. Register your phone number with the Do Not Call Registry. Most legitimate companies respect this list, so if you do receive a call from a telemarketing company, this is an indicator that the call is a vishing attack.
  7. Remember the information you learned about social engineering from your security awareness training. Be on the lookout for language that takes advantage of basic human behaviors of fear, greed, trust, and wanting to help others.
  8. Remember that your manager or human resources colleague will never call you at home asking you to transfer funds, provide confidential information, or email documents from your personal account.
  9. Do not respond to emails or social media messages that ask for your phone number. This is the first step in a targeted phishing/vishing attack. Report these emails/messages to the IT/support team.

What is Phishing Simulation?

Phishing simulation is one of the best ways to raise awareness of vishing attacks. Remember that vishing is often used along with phishing to commit a two-pronged cyber-attack.

Phishing simulations help you identify which employees are at risk of cybercrimes that rely on social engineering to trick and steal from victims. Real-time phishing simulations are a key part of any successful security awareness training program.

Together security awareness training and phishing simulations help raise alertness levels to cyber security threats. Phishing simulations give people first-hand experiences that help them understand how cybercriminals work to deceive, convince, and steal.

As always, please let the eHealth Technologies’ Privacy and Security Compliance Team know if you have any questions on the privacy and security of Covered Information, including PHI, ePHI, and other Confidential Information.