Data Doctors: Vishing is getting more popular, more sophisticated

Q: What exactly is vishing?

A: The term vishing refers to voice phishing scams, which have grown in popularity lately, since so many people are working from home during the pandemic.

The most likely scam attempts you’ll face as an individual will be bank-related, as the scammers pose as someone from one of your financial institutions.

Credit card fraud is so common these days that we routinely have to verify a transaction, and that’s one of the scammers’ approaches. But they’ll ask you for “verification” information that banks never ask for, so pay attention.

Generally, there will be noticeable language quirks, since most scammers are based outside the U.S.

Other common vishing scams focus on IRS payments, prizes you’ve “won,” law enforcement threats or tech support scams.

A very dangerous scam designed to thwart 2-factor authentication has scammers calling you to say they are conducting a security check. They’ll ask you for the code that was sent to your phone, and if you fall for it, they can take over your account.

One of the reasons that vishing can be very convincing is that typically, scammers will use spoofed caller ID numbers that look legitimate.

Latest target: Remote employees

Businesses and workers have recently become bigger targets of the scammers, using very sophisticated operations that the FBI recently warned about.

The shift to working from home has created the perfect environment for targeting remote workers with very convincing blended attacks.

They start by researching companies through publicly available information to create a profile of the victim that can include their name, address, position, email address and how long they’ve been with the company.

They then create very convincing-looking websites that may even include the company logo to convince victims that they are from the company IT department.

In many cases, they’ll tell the victim that the company is switching VPN providers and that they need to go to a new website to connect to the company network securely.

What they’re really doing is capturing the login credentials so they can access the company network and launch a ransomware attack, which will lock down critical systems, and then demand a ransom.

Vishing protection tips

Since Caller ID spoofing is so easy to do, don’t take the number that appears on your phone at face value. The scammers know that many people will let their guard down when they see a number they recognize, so make sure you process what the caller is asking you to do.

Letting calls go to voicemail can help you identify suspicious calls because the scammer has to leave a message for you to call them back. This gives you an opportunity to cross-reference the callback number or contact your IT department through other means (text or email) to verify the request.

If they claim to be from your bank, never call the number they leave on the message. You should only call the number that is on the back of your bank card to verify the information.

Company IT departments need to provide very clear security protocols and channels of communication to their remote employees to minimize the chances of being compromised by clever vishing scams.

More from WTOP

Log in to your WTOP account for notifications and alerts customized for you.

Sign up