What Is a Vishing Attack and How to Protect Yourself Against It?

You've probably heard of phishing. It's a scamming technique where an email or other digital message is sent to you, pretending to be a bank or online service. You'll be told something is amiss. Perhaps your password has expired, or it's your banking saying you've been the victim of fraud. 

There's usually a link in the email as well. If you click on it, you're taken to a fake version of the real site. You're tricked into typing in your real credentials, and the attackers get your login details! Sometimes, all they want is personal information that can be used against someone else or in a different type of attack. As if phishing wasn't enough, now we have to contend with vishing attacks - a relatively new twist on phishing that's not as easy to defend against.

What Is Vishing?

The word vishing comes from the words "voice" and "phishing." So, in essence, it's voice phishing. Vishing is perpetrated over the phone, over voice-over-IP applications, or any digital method of talking with someone directly using your voice.

The Vishing Attack Pattern

Vishing attacks are mainly a form of social engineering attack. That is, it targets weaknesses in human psychology to reach its aims.

While each specific scam is unique in its details, they have common elements:

• A scenario that puts you under some sort of pressure involving fear, greed, or an emergency of some kind.
• The person will pretend to be someone from a known institution or a mutual acquaintance of someone you know in real life if it's a targeted attack.
• The person on the phone will directly ask you to provide information such as a username, password, credit card number, or other personal details.
• They will then end the call at some point and use that information against you or someone else.

It's hard to give a universal account of what these attacks look like because they can be very different from one to the next. So let's look at some of the more common scams.

Typical Vishing Scams

A lot of vishing scams have to do with money, which makes sense when you think about it. Attackers will pretend to be from a bank or financial institution. They will phone you and tell you there's a problem with your card or account. At some point in the call, you will be asked to provide your credit card numbers, or perhaps you'll be asked to make a new payment because a previous one had "failed." In all cases, any money leaving your account is going straight to the scammer.

There are also scams that involve getting easy loans at low-interest rates, investment opportunities that will earn you large amounts based on small pay-in, and so on. These are all scams involving some sort of processing fee or investment payment from you. They will tell you that the offer is only available if you seal the deal right there on the phone and, as you might expect, you'll never see your money or the "company" ever again.

There are also plenty of scams that involve government agencies. These can rely on weaknesses in the social security system. Scammers phone posing as officials for medical aids or social security departments. They will ask the victim for details pertaining to these services and then use it to steal those same benefits.

Posing as a tax collector is another popular one. This can be used to scare people into paying "fines" or face arrest. It can be used to steal tax refunds, but getting your filing information and then filing ahead of you with their own bank details. The IRS has a tax scam page, as do most world tax authorities. So that's worth checking.

Protecting Yourself Against Vishing Attacks

Vishing can be very tricky to protect yourself against. There are some basic rules you can use to make it less likely that you'll be scammed:

• Never give out crucial info such as a social security number, password, or credit card number over the phone.
• There is no emergency over the phone that requires you to act without thinking.
• Hang up, and phone the legitimate public number of the company that the caller claimed to be from, then verify the call.
• Don't use a call-back number provided by the caller.
• Never make any payments just based on an unsolicited call.
• Use a call-blocking app with a scammer list.
• If you receive a robocall, don't answer. If you do, though, don't press any button prompts. Just hang up.
• Never provide "verification information" to someone who has called you. Always call the legitimate public number before offering any personal information such as your name, address, or number.

Vishing is often successful because it's easier for a human being speaking you over the phone to be convincing. We often feel social obligations to be polite or to comply with someone who sounds confident and authoritative.

It's especially effective against less computer-savvy people or persons who aren't familiar with phishing scams in the computer world. People who still use landlines, for example, might be older and less familiar with cybersecurity issues. Now that you know what vishing is, you can successfully avoid it!