This article is part of our collection on Cyber Security
In the latest in a series to increase awareness among businesses of the potential threats they face from scammers, we look at vishing – including how it works, who is most at risk and how to stay safe.
Last updated: 06 May 2020 7 min read
What would you do if someone phoned to tell you the police were coming to arrest you for failing to pay your taxes? Correct answer: nothing – because this is the latest vishing scam, in which fraudsters use the phone to pose as genuine organisations to fleece you out of money or sensitive information.
You might think you wouldn’t fall for this (HMRC, by the way, has no direct legal authority to arrest you), but every vishing victim says the same thing: the caller sounded so convincing.
“Vishing isn’t as publicised as other scams,” says Jason Charalambous, head of information security at cyber-defence firm Bulletproof. “Yet it’s by far the most successful because it exploits the human psyche in a different way. It has a direct human contact element that other fraud methods do not.”
Vishing is the telephone version of phishing (email fraud). And it’s common – 70,000 suspicious calls were reported in the UK in the year to April 2019, according to figures from Action Fraud, the national centre for fraud and cybercrime.
“It’s the next logical step,” says Charalambous. “When people rumbled the ‘Nigerian prince’ phishing emails asking for money, they [cyber criminals] made automated calls urging people to ring a number, and now people are wise to that, they’ve moved into sophisticated human interaction.”
Vishers can claim to represent the taxman, your bank, your internet service provider, a company suppliers – even, in large organisations, your boss. They may ask you to transfer money, divulge or change payment details or confirm system passwords. They “spoof” a number, making your phone’s caller ID show a trusted contact, but beyond that, they simply use a silver tongue and an unsuspecting target for a technique called social engineering.
“This is not about fraudsters making you trust them but making you believe that they trust you,” says vishing prevention expert and author Chris Hadnagy. “The notion that we feel trusted releases oxytocin in our brains and manipulates the amygdala, the part of the brain that processes emotion, and it builds feelings of rapport.
“Social engineers actually operate like children. They get us to do things we never thought we would by getting us to like them and trust them, often with a sense of urgency. This prompts chemical reactions and makes our brains take actions we shouldn’t.”
The biggest red flag is that the caller will try to persuade you to disclose personal or financial details, passwords – or money. Banks and other professional service providers will never ask you for account numbers or personal details over the phone, nor will they ask you to install third-party software, which can allow a fraudster to take control of your computer remotely. Also, banks (and the police and HMRC) will never ask you to move your money to a ‘safe account’; criminals also use this as ploy to convince you to authorise fraudulent payments to third-party accounts.
Beware unsolicited calls – even if it purports to be your bank, solicitor, insurer or any other business contact. Along with a ‘spoofed’ number, a crook can easily read your firm’s website or promotional materials and reel off information that gives the impression they’re a trusted contact.
“Vishing isn’t as publicised as other scams. Yet it’s by far the most successful because it has a direct human contact element that other fraud methods do not”Jason Charalambous, head of information security, Bulletproof
“Anything that rushes you to act is a warning,” adds Charalambous. “Never trust an unknown caller who needs a quick decision.” But conversely, says Hagdany, the caller may knowingly apply pressure by slowing a call down. “Some businesses time their staff’s calls and impose sanctions if they take too long,” he says. “If the fraudsters know this and spin out the call, the victim will do anything to get rid of them quickly.”
Asking you to call back on a number beginning with 09 is another tell-tale sign you’ve been targeted – that’s a premium rate number. Even if they suggest calling back on the number on your bank statement, be wary. When you hang up in order to make a new call, they’ll stay on the line, play you a dialling tone and pick up, impersonating a bank representative.
The criminal’s key weapon is emotional manipulation, to instil feelings of reassurance and empathy, or panic or fear. Says Charalambous: “One fraudster recently called a real estate company about buying a house. He was so friendly and jokey and built sufficient trust that, when the fraudster sent over an email in the course of the conversation, the estate agent opened it and unleashed malicious code that gave the fraudster access to the firm’s computer system.”
Similarly, a female scammer recently called a mobile phone company requesting her family’s log-in details because she’d ‘lost’ them – to the artificial soundtrack of a baby crying. Her demeanour as a polite, friendly but stressed mother persuaded the staff member not only to give her the account log-in details but to change the password, locking out the genuine account holder.
There have also been instances where victims have been kept on the phone for hours, or instructed by the fraudster to turn off their monitor whilst the fraudster fixes a ‘fault’ – a ruse used by criminals to shield onscreen activity whilst they take over the victim’s PC.
The examples mentioned are a timely reminder to never overlook the importance of listening to your instincts, and having the confidence to halt the call and seek help. The reason why social engineering scams like vishing work so well is that criminals use them to exploit people’s natural tendency to trust and use this to manipulate them into providing confidential information or completing an action.
But as the crooks get smarter, fortunately so does anti-vishing technology. The US biometric behaviour company BioCatch recently launched a program that detects hesitancy and reluctance in a phone user’s voice. It then flags these behaviours to third parties in real time, enabling them to act immediately to stop the phone user being scammed. But even if you don’t have sophisticated software, these tips should go some way towards deterring the scammers.
1. Don’t panic. “This is the most important rule,” says Charalambous. “When you panic, you don’t think straight and are more vulnerable. Challenge them, but initially in a polite way – they may be genuine, in which case they should happily accept however you want to check them out.”
2. Verify their ID. Ask them details only a genuine contact would know – such as your service contract arrangements or when a rep last visited you. “This can also be done with simple two-factor authentication,” says Charalambous. “It could be a ‘magic word’ that your genuine contact always uses, or you could agree they always automatically text you just before they call. And introducing two-factor authentication on computer security means that even if the crooks get a password, they still can’t get in.”
3. Check the call – from a different number. Call a known contact at the organisation or use a number obtained from a trusted source. “Always do it from a different phone line,” says Charalambous. “You need to be sure they won’t intercept the call.”
4. Do not divulge. Never give out any passwords, bank details or other sensitive information. Also, avoid disclosing personal information about yourself – this helps them strike up a rapport.
5. Hang up. The longer they keep you on the line, the greater their chances of defrauding you. After the call, if you suspect they have tried to impersonate one of your contacts, let that contact know and report the call at to Action Fraud.
6. Teach your team. Have a written anti-vishing policy, advises Charalambous. “As well as regularly reminding your team of the tell-tale signs, a written document will remind them how to react. Vishers are so sophisticated that with personal profiling and looking at social media accounts, they can even determine which individuals in which firms are most vulnerable, and target them specifically. But if you’re vigilant, and listen to your instincts, you can defeat them.”