Vishing (or “voice phishing”) is a scam technique where a scammer uses a business’s name and information to try and get someone to divulge sensitive information over the phone.
Unfortunately, vishing is everywhere. One in three businesses has had their name used by an impersonator making scam calls. How do they do it? Scammers have a few methods, including just using your business’s name or spoofing where they actually use your caller ID or area code.
With the dangers of vishing making it harder to do phone business, we’re going to dive deep into vishing attacks, so you have the information you need to be prepared to handle these. We’ll look at common tactics and red flags—and if vishing attacks can impact your business.
Understanding vishing attacks
Vishing attacks are a social engineering tactic used to defraud people over the phone and use their information for financial gain. The term comes from “phishing,” which is a similar process but over email or the internet.
In a vishing attack, a scammer will impersonate a legitimate business or organization and call its customers. For the customers that answer, they will create a scenario where the customers need to divulge information. That information is then sold or used by the scammers.
Here are a couple of common vishing attack examples to help illustrate what these attacks can look like:
- The attacker impersonates a bank representative and requests account information or passwords in order to “keep the account open” or to prevent future fraud.
- The attacker poses as a government agency and claims urgent action is needed to avoid legal consequences.
- The attacker pretends to be a tech support agent and needs help getting remote access to a computer or personal information to help with a tech problem.
Since the attackers use serious situations and are often using official phone numbers, vishing attacks pose a serious security threat.
Tactics used in vishing attacks
A scammer launching a vishing attack will use several key tactics, regardless of what industry they’re impersonating. Here are some of the most common vishing attack tactics:
- Caller ID spoofing to appear legitimate
- Impersonation techniques, including identifying themselves as service representatives and giving official sounding information
- Manipulation tactics, especially creating a sense of urgency and of serious consequences if the information isn’t divulged
- Leveraging information from social engineering to make the call sound more legitimate and to appear as though they have some customer information
The most dangerous tactic for businesses is that an attacker could spoof your caller ID and use your reputation to defraud customers and clients. It’s why keeping your line as secure as possible is crucial.
Recognizing vishing red flags
For customers, the best way to protect themselves from a vishing attack is to be aware of the red flags and know when to hang up the call. Here are some typical red flags that a call could be a vishing attack:
- Caller ID that appears unfamiliar. A caller ID could be spoofed, but it would have a few telltale signs—like a number that can’t be called back or mirroring the customer’s phone number. Even cell phone numbers can be spoofed. So an unfamiliar caller ID or number can be a red flag. The simple solution is for the recipient to hang up and call the legitimate company back from the official number.
- Unsolicited calls from unknown numbers. Sometimes the calls aren’t spoofed and instead are marked as an unknown number. An unsolicited call from an unknown number with no caller ID can be a red flag for vishing, especially if the caller then tries to impersonate an official organization. The solution here is to, again, hang up the phone and call the organization via their official phone number to verify if the call was real.
- Caller requests sensitive information. A legitimate caller is never going to urgently need private information over the phone. Customers should always avoid giving out sensitive personal information over the phone. For requests for remote computer access for IT help, it’s always important to verify the legitimacy of the IT department. If you are an IT provider, always provide an opportunity for your customers to verify that you’re a legitimate company.
- Caller makes unusual requests or makes demands. A legitimate caller should never make demands, or ask for prepaid gift cards, or any other similar requests. Customers who feel that the requests are unusual should always hang up the phone and call the official company number to verify if the call is legitimate.
- Caller provides inconsistent or suspicious information. A vishing spammer will use social engineering to try and sound legitimate, but that information is rarely enough if a customer asks questions. If the caller is making an offer that feels too good to be true, it probably is a scam.
The best way for customers to avoid a vishing attack is to hang up. If they have any doubt about the legitimacy of the call, they should hang up and call the official company phone number.
How do vishing attacks impact businesses?
Vishing attacks don’t just pose a threat to customers; they also pose a serious threat to companies who are just trying to do business. Here are some startling numbers to put it in perspective:
- 34% of customers are suspicious of any calls coming from that business after a vishing attack
- 13% of customers have since switched brands after receiving an impersonation call
- 39% of customers perceive the business negatively or have reduced trust in their security procedures after a vishing attack
The unfortunate reality is that your company’s reputation can be damaged after a vishing attack, and you can lose customers. Vishing attacks aren’t going away either. In fact, they’re rising. So what can your company do to protect your reputation, your business, and your customers from malicious vishing attacks?
What your company can do about vishing attacks
The good news is that there are steps you can take to secure your voice channels and protect your phone calls. The most effective is displaying a branded caller ID. This display will show users your company name, logo, and reason for calling. This adds an extra layer of identity so your customers can be sure it really is you calling.
Learn more about 4 Steps to Minimize Fraud & Maximize Security in Your Voice Channel to get started protecting your company and customers from vishing attacks today!