For years, we’ve been talking about the dangers of phishing emails and have warned businesses accordingly. Still, phishing is a serious problem and one of the biggest sources of cyber losses. Hackers keep using phishing tactics because they work.
It’s good for us all to remember that we should never, ever, click links in emails that appear even remotely suspicious, unexpected or odd, etc. Always look at email messages with skepticism and you are more likely to avoid inadvertently activating malicious code.
Now, that we’ve covered the requisite warning, on to a new spin on phishing: voice phishing (also known as “vishing”).
What is voice phishing?
It works something like this. You receive a completely unsolicited phone call to your telephone coming from an ID that may identify itself as a credit bureau or bank.
The person on the other end of the phone will identify themselves as part of the security division for your bank or credit card company. They will then inform you that your card has been used for suspicious transactions somewhere out of state and they need to know if you wish to put a freeze on the account until you can receive a free replacement debit or credit card. As confirmation of this, they may use your home address and the last four digits of your bank card.
Be aware of the voice phishing scam!
Of course, most of us will say yes to this instantly. But then, the call will get weird. The “bank official” may ask for the three-digit security code on the back of the card so you can verify that the card is yours. Or they may ask for your personal identification number (PIN) or the answer to your online banking security question such as your mother’s maiden name. This should then set off alarm bells for you.
Unfortunately, many people don’t bat an eyelash because the bank has already provided enough details to make one think the call is legit. Once you give them the information they have requested, they have you. They can now use your card illegally to make actual fraudulent transactions (as opposed to the ones they claimed to have stopped).
Another variation on this scheme includes an automated voice that may sound human at first, but after some questioning turns out to be a robocall using a script. This automated voice call will go through the same “verification” process, but will ask you to input your PIN or CSV number. Again, this is a scam, but a pretty sophisticated one.
How are hackers targeting with correct information?
These hackers are using just a few tools that are at their disposal. First, they use software to cloak their phone number so that it appears to be coming from a source that you trust such as your bank or credit union.
Then, they take a few basic pieces of information and feed them back to you as a means of making you think that the call is legitimate. But your home address is not something that should be taken as proof of authenticity since this information can be readily found with an Internet search. Additionally, the last four digits of a bank card are not enough to verify since this can be found on receipts that you may leave behind at a restaurant or throw into the trash can.
In fact, you may have them read the whole card number and still be talking to a hacker who has stolen your card number through an online data breach and are just “vishing” for your PIN or CSV number, which is the last piece of the puzzle they need to illegally use the card.
How can I protect myself from a voice phishing scam?
The best way to protect yourself if you receive a call that is suspicious is to stop and inform the caller that you will call them back yourself. If they are a legitimate banking officer, they will agree to this and you can simply call the 800-number on the back of your credit or debit card. (It may even be the same number you think you are talking to thanks to the hacker’s phone number cloaking technology.)
However, when you call the bank on your own, you will find that the whole thing is a scam. If the caller tries to stop you from hanging up, don’t listen. This is just more of them trying to draw you in with a confidence scam. Contacting the bank is the best bet for protecting yourself and your account.
There are all sorts of nefarious plans out there to steal not only personal funds, but also those belonging to your business. INSUREtrust is here to help you protect your business from the dangers of cyber attacks. For more information on how to protect your company, sign up for our newsletter.