Vishing, short for ‘voice phishing’, refers to a phishing attempt made over a phone call, voicemail, or VoIP conversation. Just like in a phishing email, a vishing caller poses as a trusted person or organization to get their victims to divulge passwords or personal information that can then be used against them.
Scam callers have been around about as long as the telephone. The phishing playbook makes vishing a distinct subset. Vishing callers impersonate organizations, sometimes even faking the caller ID that shows up on your telephone. And they don’t try to scam you into giving them money, but into giving up sensitive information.
Often, these efforts are accompanied by a phishing email. After sending the initial email, the scammer follows up with a call. This adds credibility to their phishing attempt, and can catch people off guard.
Let’s walk through an example, to show you how it works.
Vishing Call Example
Caller: Hello, I’m calling from Chase Bank. We just sent you an email regarding some suspicious activity on your account.
Victim: What do you mean?
Caller: Unfortunately, I can’t give you that information over the phone. If you would just click the link in the email, you can take a look at the suspicious charges and confirm or deny them.
Victim: Okay. Looks like it ended up in my spam folder.
Caller: Yes sir, that can happen.
Victim: Huh, weird. Thanks for the heads up.
Caller: You’re welcome. Have a great day.
In this example, the scammer starts by sending an email, and then follows up with a phone call. In this case, the phone call draws attention to an email that otherwise landed in spam. The caller walks him to it, and then gets him to click on the link.
Once Jim clicks the link, he lands on a fake website, puts in his username and password, and boom! he just gave his bank login to a scam artist.
This approach is more targeted than your average phishing attack. It takes more time, but by attacking across multiple vectors, the scammer significantly increases the chances they’ll land a hook.
People respond differently to phone calls or emails. Some might be easier to convince via email, some via phone. Keep in mind that scammers have clever ways to trick you on both methods: via email, they can fake the from address, and on phone calls, they can fake the caller ID line. So you should never assume that someone writing or calling you is who your email service provider or phone tells you they are.
You’re also more likely to be distracted when the phone rings. An email isn’t quite so demanding of your attention – there usually isn’t pressure to respond (or even read) an email immediately. When the phone rings, though, you have to either take it or leave it. And once you take the call, you’re on the line until you hang up.
How to Protect Yourself from Vishing Attacks
So how can you avoid falling victim to a vishing attack? Pay attention to these quick tips and you’ll be far less likely to hand over your passwords or personal information over the phone.
Don’t Give Out Passwords or Personal Information Over the Phone
In the example above, the vishing attacker directed their victim to an email link. But they’ll often ask for sensitive information over the phone call. This is why many organizations have a policy of not asking for passwords or sensitive information over the phone.
Often, a company will ask for some personally identifiable information just so they know who you are as a customer. Depending on what type of organization it is, that could be your birthday, your phone number, or the last four digits of your credit card.
To be careful, if an organization calls you and asks for this kind of information, ask if you can call them back. Then go to their website and call the company’s number directly. There’s a big difference between someone calling you and you calling them – if you’re calling their official phone number, you can be much more confident you’re talking to the right person.
Hang Up and Call the Official Number
The best way to avoid getting vished is to tell them you’ll call them back, and then end the conversation. From there, you can look up the company’s official number and call them back.
There’s a big difference between someone calling you and you calling them – if you’re calling their official phone number, you can be much more confident you’re talking to the right person.
Some scam callers push you to stay on the line, and if you hang up, will call you back repeatedly. Them getting pushy doesn’t give you any more reason to trust them. If you’ve already checked in with the legit organization they claim to represent, you might even already know this person’s a fraud. At that point, you can kindly tell them to bugger off.
Take a Moment to Think Carefully
Scam callers are counting on you to slip up in the moment. The more time you take to think carefully, the less likely you are to give up sensitive information. By putting down the phone, you no longer have the pressure to take any action while on the phone call.
That gives you more time and mental bandwidth to examine any emails they’ve sent you, looking carefully for warning signs like suspicious links or notices from your email service provider.
Until you’ve given up your sensitive information, it’s never too late to press pause. If they ask for personal information or direct you to a website that asks for login info, that’s your last chance to tell them you need to end the call, think about it, and call them back.
Don’t Count on Caller ID
Just because your phone identifies someone doesn’t mean they actually are that person. Caller ID is easy enough to fake, so you can’t count on it. They can fake the phone number, too, so you can’t rely on that either.
The best way to make sure you’re talking to the right person is to look up the official number and dial it yourself. Again, you should never trust unsolicited callers with any kind of sensitive information.
Watch Out for Links & Attachments
As you saw in the example above, vishing attacks frequently combine email and phone calls for a dual pronged approach.
You should always be wary of links in emails – all the more so if someone is urging you to click through. End the call so you can closely examine the link. That way, you’re no longer dividing your attention between your email inbox and an ongoing call.
From there, mouse over the link to see where it’s pointing. Don’t click; instead, right click, copy the link address, and paste it into your address bar. Look closely, as scammers often buy web domains that are just a few pixels off from legitimate ones.
Even better, look up the company on Google or input the URL directly. If you navigate to the website yourself, you significantly lower your chances of falling for a scam.
Finally, keep an eye out for attachments as well. Even innocuous files like PDFs can be rigged with malware that will infiltrate your computer. Only open files from sources you absolutely trust.
Closing Thoughts on Vishing
Vishing can be a potent threat, combining the sneaky tricks of phishing with the act-now pressure of a phone call. But with vigilance and a bit of awareness, you can hopefully spot these tricksters before they steal your sensitive information.
Above all, remember never to give out passwords or personal information over your phone. If anyone asks you for either, you should proceed carefully – and if they called you, you should assume they may be vishing and proceed accordingly.