Vishing, short for “voice phishing”, is a type of social engineering scam that uses phone calls or voicemail messages to trick people into giving away sensitive information. Unlike traditional phishing scams that use email or text messages, vishing attacks rely on the power of voice to create a sense of urgency and credibility.
How vishing works
Vishing attacks often begin with a recorded message or an automated call that prompts the recipient to call back a specific phone number. The number typically belongs to a fake customer service department, bank or government agency, and once the victim calls back, they are greeted by a professional-sounding operator who tries to extract personal information such as credit card numbers, social security numbers, or login credentials.
Check Point Research recently discovered a vishing attack called FakeCalls, an Android Trojan that masquerades as financial applications and imitates phone conversations with bank employees. This type of attack has a long history in South Korea, causing financial losses of approximately $600 million in 2020 and affecting 170,000 victims between 2016 and 2020. The FakeCalls Trojan targets the South Korean market and can extract private data from victims. It highlights the need for individuals and businesses to be vigilant when using financial applications and speaking with bank employees over the phone.
How to protect yourself from vishing
Here are some practical tips to avoid falling victim to vishing scams:
- Do not disclose personal data: Be wary of vishing attacks that aim to trick you into giving away personal information that can be used for fraudulent purposes or future attacks. Never reveal passwords, multi-factor authentication (MFA) numbers, financial data, or similar information over the phone.
- Verify caller identities and phone numbers: Scammers may call pretending to be from a legitimate organization. Before sharing any personal data or taking any action, ask the caller for their name and call them back using the official number listed on the company’s website. If the caller resists your request, it’s likely a scam.
- Do not pay with gift cards: Vishing scammers may demand payment for unpaid taxes or other fees in gift cards or prepaid Visa cards. Legitimate organizations will never request payment with a gift card or prepaid credit.
- Do not grant remote computer access: Vishers may request remote access to your computer to “remove malware” or fix an issue. Never give access to your computer to anyone except verified members of the IT department.
- Report suspicious incidents: Vishing attacks often target multiple victims. If you suspect a vishing attack, report it immediately to your IT department or law enforcement so that they can take action and protect others from the same scam.
Vishing scams are becoming more sophisticated and harder to detect, but by following these tips, you can reduce your risk of falling victim to them. Stay vigilant, stay informed, and stay safe.
