AbleToTrain by Willing & Able

How to identify and defend voice phishing scams

What is Voice Phishing?

Voice phishing is a phishing scam in which cybercriminals disguised as trusted sources make unilateral phone calls to obtain personal information that can be used to commit fraud, hijack identities, or steal money. It is a kind of.

Alternatively, a scammer can send a phishing email containing a phone number that tricks the victim into investigating the fake (unintended) content of the email. The voice phishing phone uses 800 numbers, so-called ID spoofing, or VoIP technology to trick victims into impersonating trusted organizations or individuals. When scammers answer the phone, they often use social engineering techniques to persuade them to provide personal information such as passwords and credit card numbers. Voice phishing attacks can target anyone, but often focus on older people and employees who regularly interact with people outside the organization.

Phishing vs Voice Phishing vs Phishing: What’s the Difference?

This means that cybercriminals can use different media for phishing, phishing, and smishing.

Here`s how the three methods differ:

  1. Vishing: Phone call scams that compel victims to share sensitive information verbally

  2. Phishing: Email scams that entice victims to click links that download malware or visit fake websites (pharming)

  3. Smishing: Text message scams that also tempt victims to click malicious links or visit fake, redirected websites

Vishing Attack Examples

Here are six examples of common vishing attacks:

  • IRS Tax Scam

IRS vishing attacks usually involve a prerecorded message explaining that there`s an issue with your tax return and that you should call the IRS (on a number they provide, of course) immediately.

  • Tech Support Attacks

In tech support vishing attacks, scammers impersonate personnel from companies like Apple, Microsoft, and Google to report suspicious activity on your online account. In addition, they often ask for an email address to send software updates, which turn out to be malware downloads.

  • Bank Impersonation Scam

In financial institution impersonation scams, scammers impersonate credit score card companies, banks, and different economic establishments to get admission to your accounts. The fraudsters inform you there`s been suspicious interest and ask you to verify your account facts, in conjunction with your login credentials, to “fix” the problem.

  • Social Security or Medicare Scam

Senior residents are common objectives of cybercriminals because of their inexperience with phishing scams. Scammers impersonate Social Security or Medicare representatives to acquire account information that allow them to reserve a brand new Social Security wide variety of their name.

In addition, many older adults choose phones over electronic mail or textual content messages, falling sufferer to vishing scams greater frequently than electronic mail phishing or smishing attempts.

When searching at cybercrime sufferers through age group, nearly 22% of all proceedings acquired through the FBI in 2020 worried sufferers over the age of 60, with pronounced losses in extra of $966 million.

Note: If you’ve got got pals or own circle of relatives participants whom you suspect are vulnerable to those sorts of scams, inform them that the IRS, Social Security Administration, or Medicare will in no way threaten them or name them to request non-public facts.

Federal organizations will in no way provoke touch with you through telecellsmartphone, electronic mail, textual content, or social media to request non-public or economic facts. Never.

  • Delivery Scams

Online purchasing has come to be so ubiquitous that it`s tough for each person to keep in mind what they have (or haven`t) ordered, and scammers realize this. So fraudsters have posed as being from Amazon, alerting consumers approximately delivery discrepancies and giving them a telecellsmartphone wide variety to name in the event that they have questions on their (fake) orders.

If a client referred to as the wide variety, they may talk with a stay character who pretended to paintings for Amazon and proceeded to extract non-public facts from those unwitting sufferers. With peaks of on-line purchasing interest like Prime Day being a normal a part of our lives now, it`s essential to live vigilant of those purchasing-primarily based totally vishing scams.

  • Loan and Investment Scams

When a proposal sounds too top to be true, it normally is. So continually be skeptical of any funding possibility that guarantees exorbitant returns or loans that repay money owed surprisingly quickly.

How to avoid detection of phishing emails

How do these emails reach the intended victim if the phishing is done via phishing emails? There are three reasons for this.

  • Email does not contain a link

It’s easy for security tools to intercept emails that contain malicious links. However, the fishing email prompts the recipient to make a call and does not need to include a recognizable link. In many cases, the focus is on making a call rather than clicking on a CTA that doesn’t go anywhere or even click.

  • Emails are from “real” senders

Even spoofed email accounts can pass authentication checks (DKIM, SPF, DMARC, etc.) when sent from a personal email address such as a Gmail account.

  • Email security tool had no effect

When an email passes the above filter, email security tools such as Microsoft Exchange Online Protection (EOP) often classify it as low risk and deliver it to your inbox without any problems. This is a big problem, but it’s also very common. Unlike URLs, which are tracked by the security community and shared as threat intelligence, phone numbers are not a structured or scalable indicator of traceable breaches. This makes it more likely that a phishing attack will bypass static or deterministic security controls.

Voice phishing prevention: Basic

Here are six things you can do to protect your business from voice phishing attacks:

  • Incorporate additional tools into your email security strategy

  • To increase protection against phishing, phishing, or BEC (Business Email Compromise) attacks, we recommend that you use an additional layer of security to enhance your built-in email security.

  • Don’t talk to strangers (or robots)

Here are some simple tips for answering calls:

  • Do not answer calls from unidentified numbers. If in doubt, forward the call to voice mail and listen carefully to the message. Caller IDs and phone numbers can be spoofed, creating a false sense of security.

  • If you answer a call that you think is suspicious, hang up and block the number. Do not call the number again. Get your phone number from an approved website, credit card, or bank statement. Be careful when pressing the button or responding to a voice prompt asking you to answer a “yes” or “no” question. Scammers often identify potential targets for further Robocall when someone actively participates in the charade.

  • Beware of social engineering tips

  • Calm down when someone is scaring you and trying to put pressure on you. Scammers take advantage of their work by taking advantage of deadlines, intimidation, and urgency.

  • If you are under threat of account suspension, arrest, or immediate payment request, please be careful and do not disclose sensitive information.

  • On the other hand, phone scammers can also pretend to be polite, amiable and trustworthy to access your information and bank accounts. If you think you are providing too much information over the phone to strangers or suspicious people, be careful and hang up, no matter how polite you may be.

  • Do not share sensitive information over the phone

  • No matter how “official” or confident it sounds, be suspicious of callers who request your account number, PIN, login credentials, or other sensitive information over the phone. Bring your internal organs: If you think you’re having a voice phishing conversation, hang up. A wand that won’t fall.

  • Request proof of identity

  • Don’t be afraid to ask someone to prove your identity. If the caller is a reputable organization, you can easily see where they are calling, who they are, and why they are in contact.

  • Get your name and call back using the number you got from the official website or company documentation instead of the number provided.

  • Take time to train your employees for the anti-phishing procedures described here and do so on a regular basis. As attacks become more diverse and sophisticated, employees cannot afford to overlook the latest cyber threats.