June 24, 2021
By Pavel Jiřík in Blog
You are probably well aware of the existence of cybercrime. It’s not a novelty for scammers to have moved their activities to the Internet or that they are always looking for new ways to commit crimes using technology and digitalization. The COVID-19 pandemic prompted many companies to transfer their operations online, creating a lot of new “opportunities” for cybercriminals. Today, we want to look at one particular type of cybercrime that has been emerging lately.
Have you heard of vishing? Do you know what it is, what risks it involves, and how you can avoid it?
What is Vishing?
Vishing is a type of scam in which a cybercriminal using a phone call pretends to be a representative of a reliable organization or institution, or tries to impersonate one of their clients. To succeed, a cybercriminal aims to trick the target into obtaining their personal data by citing security reasons. They may also try to convince an organization that they are a person who they are pretending to be. The final goal of vishing is to steal a person’s identity, usually so that the impersonator can obtain access to that person’s bank account and steal money.
The word 'vishing' is a combination of 'voice' and 'phishing'. Phishing is the use of deception to trick individuals into revealing personal or confidential information about themselves, or to cheat an online system and gain access to someone else’s data or account.
However, instead of using email or fraudulent websites like phishers do (those who use phishing methods in order to scam people), vishers use a phone or an internet phone service known as VoIP (Voice over Internet Protocol).
Impersonating a person, a legitimate business, or a public administration with the aim of defrauding people is not a new phenomenon. Vishing is simply a new twist on an old theme. In fact, vishing has been around for almost as long as internet telephone services. It’s a much more "anonymizable" channel and therefore potentially enables one to commit a crime with impunity.
Cybercriminals use what is known as social engineering - a combination of scare tactics, pressure, and emotional manipulation to try and trick people into providing their information. They reach out to the target and inform them that they need to act quickly if they want to prevent a problem (e.g., a data breach), then instruct them what to do. But, instead of helping their target, they obtain personal data that can be used to commit crimes.
To help their credibility, vishers even create fake caller ID profiles (known as 'caller ID spoofing') that make the phone numbers they use appear legitimate.
Although the public is becoming increasingly aware of the dangers of providing confidential information by telephone or over the Internet, vishing is a crime that continues to affect thousands of people around the world every day.
Examples of Vishing
Many of the reported fraud complaints feature a similar modus operandi of using a few similar scenarios, motives, or social engineering tricks to commit crimes.
Here are some of the most common examples of vishing:
"Compromised" Bank or Credit Card Account
Whether it is a person or a pre-recorded message as an answering machine, the victim will be informed that there is a problem with their account or a payment that they made. The alleged issue usually concerns a significant amount of money.
The cybercriminals may ask for login credentials so that they can fix the problem or prompt the target to make a new payment in order to verify their identity. Instead of providing the requested information, it is advisable to hang up and call the financial institution yourself directly as a means of verifying the claim.
Unsolicited Loan or Investment Offers
Cybercriminals will call a target with offers that are too good to be true. For example, the chance to earn a huge sum from a small investment, pay off all debts with a quick fix, or get all loans annulled at once.
Usually, cyber criminals ask people to act quickly and urgently, with the victim having to pay a relatively small fee. It is important to know that legitimate lenders and investors do not offer such deals nor initiate contact out of the blue, and certainly not over the phone.
As a general rule, consumers should avoid providing bank account details over the phone. They might be intercepted by a cybercriminal or someone who is listening to the call, either via the Internet or simply in close physical proximity.
Social Security Scams
Phone calls are the most common method used by cybercriminals to reach older people. They pose as social security representatives and try to obtain financial information from the victim, such as their social security number or bank account details, with the aim of using this data later to access their accounts or steal money.
There are many variations of this type of scam, but generally, the victim will receive a pre-recorded message informing that something is wrong with their tax return, and if they do not return the call then a warrant will be issued for their arrest, their data will be added to a public delinquent list, or all of their accounts will be blocked.
Cybercriminals often combine this action with a spoofed caller ID to make it look like the call is coming from the IRS.
How Can Companies Prevent Vishing with Voice Biometrics?
Educated consumers and aware users are an important element of every data security strategy. However, it’s the institutions that must be the most vigilant and constantly provide technical solutions that can prevent vishing and any other type of phishing.
When a victim is vished by a criminal, they will often attempt to commit identity theft by calling the victim’s bank and impersonating them. Because of that, introducing voice biometrics can be the last barrier between a client's account and criminals. The implementation of passive voice biometrics in particular can massively help prevent vishing. Passive voice biometrics methods are not dependent on what is being said or the language that it is being spoken in, and hence it can run automatically and continuously in the background of a call to verify the caller's voice regardless of what they are saying.
That’s why introducing passive voice biometric authentication is one of the ways to counteract cybercrime and protect customers’ data.
Near real-time voice authentication can spot fraudulent attacks in seconds by comparing a stored client’s voiceprint (a mathematical representation of someone’s voice) to a voice that’s speaking on a phone call. This is possible because voice biometrics compares hundreds of unique voice traits that people are not even aware of to identify a person’s identity.
Passive voice biometrics is effective here because it enables a passive layer of security by using an individual’s unique characteristics to identify them.
Preventing vishing is virtually essential because being a victim of internet fraud can not only mean data breach, but a cyber attack might lead to many negative consequences for an organization: it damages their reputation, reduces trust in them, and may lead to financial losses, regulatory fines, or intellectual property loss.
Tips on How Consumers Can Avoid Becoming Victims of Vishing
Even if companies do their best to prevent fraudulent attacks in the form of phishing or vishing aimed to gain access to a client's bank account, they cannot stop vishers from calling them to attempt vishing attacks. Hence, clients need to be vigilant when any of the scenarios described above occur.
To help reduce your vulnerability to such scams, here are five tips on how to avoid vishing:
Use a Caller ID Application
Countless available VoIP solutions make it possible to create fake numbers easily. Therefore, a good way to avoid fraudulent calls would be to download an application that identifies numbers and detects those that are not connected to a standard mobile phone.
Do Not Click on Links or Respond to Prompts
If you receive an automated or text message asking you to click on links or answer questions, then you quite simply should not do so. Several examples of such messages may include voice or text messages like: "Press button 2 and provide your user ID to remove yourself from our list", "Press this link to receive a 50% discount on our latest clothing collection”, or "Say 'yes' to speak to an operator", followed by a request for personal information that could be used to commit a cybercrime.
Verify the Identity of the Caller
If a caller provides a callback number then it may be part of the scam, so it’s not advisable to use it. Instead, you should find the official phone number of the company or institution that is supposedly contacting you and call them or physically go to a physical location to confirm the identity of the caller.
Never Give Out Personal or Confidential Information
A banking institution never asks for debit or credit card details, data on an ID card, or an exact address, etc. If in doubt, it’s best to call the organization in question and notify them about being asked for confidential information by someone claiming to represent their entity.
Hang up if You Suspect a Crime
The moment you suspect that a cybercriminal is calling is the moment to hang up. Cybercriminals are often very persuasive through manipulation and social engineering techniques, so the best way to deal with them is to simply hang up immediately and block the number.
As already mentioned, banks or call centers have to educate their clients on how to avoid scams. However, these institutions are also the target of cybercriminals themselves, which is why they need to make use of effective solutions to reduce the impact of vishing, such as passive voice biometric identification.
In many cases, voice biometric authentication becomes the last barrier between a successful vishing attempt and the breach of a client’s account. That’s what makes passive voice biometric authentication methods particularly effective solutions to the problem.