What Is Vishing, and How Can You Avoid It?
When can a phone call be dangerous? In vishing attacks, thieves are using phone scams to trick people into giving away money and personal information.
You may have recently gotten a call from someone claiming that your taxes are late. Or maybe a robotic voice on the phone told you that your Social Security Insurance has been compromised. You aren’t sure whether to trust the calls, and that’s a good instinct, because they could be vishing.
So, what is vishing, and how can you avoid it?
Vishing is a type of phone scam that is one of the top mobile threats of 2022. It involves calls from scammers trying to trick you into sharing personal information. Vishing can take the form of a car warranty scam or even a fake warning that there is a warrant for your arrest. To protect your online security, it’s crucial to know how to identify a scammer and make sure you don’t give them any personal or financial information.
If you haven’t been targeted by vishing scams yet, it’s important to learn what they are, how to identify them and how to stay safe. Here’s what you need to know about what vishing is and how dangerous it can be.
Get Reader’s Digest’s Read Up newsletter for more tech, humor, cleaning, travel and fun facts all week long.
What is a vishing attack?
Vishing, also called phone call spear-phishing or phishing voice calls, is a form of social engineering. It is the act of using human interaction and manipulation to obtain sensitive information about a person, organization or its computer systems, says Nick Santora, CEO and founder of Curricula, a security awareness training platform.
To put it more simply than just a vishing definition, this is a kind of scam where a hacker finds out information about you, calls you pretending to be a company or person that you trust and uses that trust to steal information about you. This can include your social security number, bank account number, credit card information or even passwords to your work accounts.
“Hackers rely heavily on information gathering. A simple online search, reviewing your social media accounts and even looking through your garbage are just some of the ways bad actors can gather information about you,” says Santora.
A 2019 study of 5,000 mobile phone subscribers in the United States found that 75% of phone scammers already had personal information about the person they were targeting. They used this data as a way to trick their vishing victims.
Scammers also often use another form of trickery when vishing. They use apps to make calls so that your phone’s caller ID says that the calls are coming from a trusted source. This scamming technique, called number spoofing, is just the beginning of what vishing is capable of. If you receive a phone call from any of these area codes, hang up immediately.
What is the difference between phishing, smishing and vishing?
A scam is labeled depending on how the scammers gather their information. According to Santora, phishing gathers information via a phishing email, social media or other online channels. Vishing, on the other hand, uses a phone conversation to gather sensitive information from victims. SMS phishing (smishing) is when a hacker uses text messages instead of voice or online means to try and obtain sensitive information.
Why are vishing attacks so common?
“Vishing social engineering tactics are widely regarded as one of the largest cyber threats today,” says Santora. According to the Federal Bureau of Investigation (FBI), one of the reasons vishing is so popular is that more and more people are working at home due to the COVID-19 pandemic. At home, security measures are typically more lax, allowing hackers to access the information they need more readily. Also, with more people working from home, scammers have increased opportunities for catching people off guard—a situation they are exploiting, notes digital privacy expert Ray Walsh.
Scamming workers through vishing became so popular that in mid-2020, the FBI and Cybersecurity and Infrastructure Security Agency issued an advisory about it.
One example of vishers exploiting workers happened in July 2020. More than 100 Twitter accounts were breached using a simple vishing tactic. To get access into the accounts, the hacker called members of Twitter’s staff and tricked them into giving away login information of high-profile accounts, including President Joe Biden (who was candidate Biden at the time), former president Barack Obama, Elon Musk, Jeff Bezos, Bill Gates, Kanye and Kim Kardashian. The hacker then used the accounts to try to get their followers to send him Bitcoins. The scammer ended up with more than $100,000 but ended up being apprehended by authorities not long after.
Overall, hackers find vishing a fast, effective way to scam, especially since they cannot be stopped with technology alone. There is really no way to track or stop these calls before they happen.
How to recognize a vishing attack
Vishing attacks can come in many forms. Knowing some of the more popular ones can help you identify when a caller is trying to vish you. Here are some common vishing scams:
Government service (IRS, Social Security Office, etc.)
This is one of the trickiest vishing scams. Nobody wants to be in trouble with the government, so a phone call pretending to be from the IRS or Social Security Office can seem very official and intimidating. However, a real government agency will never ask for private information or any kind of payment over the phone. These scams are meant to lull you into a false sense of security, or sometimes to scare you into complying with a threat of legal action. Stay calm, and don’t let this call frazzle you into giving money or information to a scammer.
Winning a prize
The person on the line claims you won a prize, but you don’t remember entering a contest. They are promising you an exciting gift like money, a gaming console or even a vacation—all you have to do is send them your personal information, so they can send you your prize. Don’t fall for it! There is no contest and no prize. The only thing you will win in this scam is hardship when the scammer is able to steal your identity or your money.
You get a call from somebody pretending to be from your bank. They ask for information about your account, supposedly to confirm or update your account details. But really, it’s a scammer trying to get into your bank account! Bank scams are particularly worrisome because you can lose all your savings by giving your confidential account information to the wrong person. Always confirm information with your bank in person or via a secure online portal, not over the phone.
Your child’s school
You might get a call claiming to be from your child’s school—whether or not you have a child! The scammer will ask for your or your child’s personal information under the guise of updating records. Or they might ask for payment for an unexpected expense, like a school trip or damage done to school property. This is a form of spoofing, where a scammer pretends to be someone else—like a school principal or secretary—to commit fraud.
This is one of the easier vishing scams to recognize and avoid. No legitimate business or person will ask to be paid in gift cards—this is an attempt to get you to send them money that is untraceable. If somebody calls and asks you to buy gift cards for them, promising that this will save you from legal trouble or that you’ll be helping somebody out, hang up the phone. Also beware of Facebook scams and crypto scams, which work on similar principles.
Someone calls you claiming to be from the business where you work. They might pretend to be from the IT department and request login information to the company’s programs or your computer. To protect your password security, never give out your personal passwords or any confidential information over the phone. Verify any requests for your personal work info or any company materials with your boss or head of IT.
Unfortunately, fake donation scams do exist. A scammer will call you and prey on your sense of generosity or goodwill by asking if you want to donate to charity. However, any money you “donate” will go straight to the scammer, and none to people in need. Donate only to reputable charities and not to any group that cold-calls you. Real charities will have accreditations that you can check online to make sure they are legit.
How to avoid a vishing attack
Now that you know what vishing is and its most common forms, there are some things to remember when you’re on the phone. This advice is also helpful for avoiding online scams of all kinds! Santora offers these tips:
Verify the authenticity of a caller by using alternative methods such as hanging up and calling back a verified business line or visiting the website of the organization directly.
A visher will often try and convince you that they have your sensitive information already, then ask you to quickly verify it. Slow down, and do not give out sensitive information to an unknown caller.
Play it safe
If asked to disclose sensitive information, stop and ask yourself, Do I really know who is making this request? When you don’t feel comfortable providing information, don’t. Being safe with sensitive information does not mean you’re being rude.
Stop to think
Hackers want you to act before you think. Don’t allow them to change your behavior based on a false sense of urgency. When you feel that something isn’t right, stop and verify the authenticity of the request.
Also, always be wary of any questions that could cause you to say “yes.” Scammers have been known to use recordings of people’s voices to trick them into believing they have entered verbally into a contract. Scammers usually use these voice recordings as leverage to make the victim pay an outstanding balance, said Walsh.
Most important, if you feel like you’re on the phone with a scammer, hang up.
- Nick Santora, CEO and founder of Curricula
- First Orion: “First Orion Reports Scam Callers Now Leveraging Data Breaches In New ‘Enterprise Spoofing’ Strategy“