Vishing (or “voice phishing”) is a scam technique where a scammer uses a business’s name and information to try and get someone to divulge sensitive information over the phone.
Unfortunately, vishing is everywhere. One in three businesses has had their name used by an impersonator making scam calls. How do they do it? Scammers have a few methods, including using your business’s name or spoofing using your caller ID or area code.
With the dangers of vishing making it harder to do phone business, we’ll dive deep into vishing attacks so you have the information you need to be prepared to handle these. We’ll look at common tactics and red flags—and if vishing attacks can impact your business.
Understanding vishing attacks
A vishing attack is a social engineering tactic used to defraud people over the phone and use their information for financial gain. The term comes from “phishing,” a similar process but over email or the Internet.
In a vishing attack, a scammer impersonates a legitimate business or organization and calls its customers. For the customers who answer, the scammer creates a scenario where the customers need to divulge information. The scammers then sell or use that information.
What are the most common vishing attacks?
Here are a couple of common vishing attack examples to help illustrate what these attacks can look like:
-
The attacker impersonates a bank representative, and requests account information or passwords to “keep the account open” or to prevent future fraud.
-
The attacker poses as a government agency and claims urgent action is needed to avoid legal consequences.
-
The attacker pretends to be a tech support agent and needs help getting remote access to a computer or personal information to help with a tech problem.
Since the attackers use serious situations and often use official phone numbers, vishing attacks pose a serious security threat.
Tactics used in vishing attacks
A scammer launching a vishing attack will use several key tactics, regardless of what industry they’re impersonating. Here are some of the most common vishing attack tactics:
-
Caller ID spoofing to appear legitimate.
-
Impersonation techniques, including identifying themselves as service representatives and giving official-sounding information.
-
Manipulation tactics create a sense of urgency and serious consequences if the information isn’t divulged.
-
Leveraging information from social engineering to make the call sound more legitimate and to appear as though they have some customer information.
The most dangerous tactic for businesses is that attackers could spoof their caller ID and use their reputation to defraud customers and clients. That’s why keeping their line as secure as possible is crucial.
Recognizing vishing red flags
For customers, the best way to protect themselves from a vishing attack is to be aware of the red flags and know when to hang up the call. Here are some typical red flags that a call could be a vishing attack:
-
-
Caller ID that appears unfamiliar. A caller ID could be spoofed, but it would have a few telltale signs—like a number that can’t be called back or mirroring the customer’s phone number. Even cell phone numbers can be spoofed. So, an unfamiliar caller ID or number can be a red flag. The simple solution is for the recipient to hang up and call the legitimate company back from the official number.
-
Unsolicited calls from unknown numbers. Sometimes, the calls aren’t spoofed but instead marked as an unknown number. An unsolicited call from an unknown number with no caller ID can be a red flag for vishing, especially if the caller tries to impersonate an official organization. The solution is to hang up the phone and call the organization via their official phone number to verify if the call was real.
-
A caller requests sensitive information. A legitimate caller will never urgently need private information over the phone, so customers should always avoid giving out sensitive personal information over the phone. For requests for remote computer access for IT help, it’s always important to verify the legitimacy of the IT department. If you are an IT provider, always allow your customers to confirm that you’re a legitimate company.
-
The caller makes unusual requests or demands. A legitimate caller should never make demands, ask for prepaid gift cards, or make similar requests. Customers who feel that the requests are unusual should always hang up the phone and call the official company number to verify if the call is legitimate.
-
The caller provides inconsistent or suspicious information. A vishing spammer will use social engineering to try and sound legitimate, but that information is rarely enough if a customer asks questions. If the caller makes an offer that feels too good to be true, it is probably a scam.
-
The best way for customers to avoid a vishing attack is to hang up. If they doubt the call's legitimacy, they should hang up and call the official company phone number.
How do vishing attacks impact businesses?
Vishing attacks don’t just threaten customers; they also seriously threaten companies just trying to do business. Here are some startling numbers to put it in perspective:
-
34% of customers are suspicious of any calls coming from that business after a vishing attack.
-
13% of customers have since switched brands after receiving an impersonation call.
-
39% of customers perceive the business negatively or have reduced trust in their security procedures after a vishing attack.
Unfortunately, a vishing attack can damage your company’s reputation and cause you to lose customers. Vishing attacks aren’t going away; in fact, they’re rising. So, what can your company do to protect your reputation, business, and customers from malicious vishing attacks?
What your company can do about vishing attacks
The good news is that there are steps you can take to secure your voice channels and protect your phone calls. The most effective is displaying a branded caller ID. This display will show users your company name, logo, and reason for calling. This adds an extra layer of identity so your customers can be sure it is you calling.
Learn more about 4 Steps to Minimize Fraud & Maximize Security in Your Voice Channel to start protecting your company and customers from vishing attacks.