Scam Alert: Vishing
Here's another term to add to your glossary of financial fraud: vishing. The term is a blend of voice and phishing (that is, scammers trying to get personal info from you via email). With vishing, the main tool fraudsters use is the phone.
What is vishing?
Vishing is a type of fraud that relies on getting you to trust the person at the other end of a phone call. The initial contact might be a phone call to you, but the scheme can also start with an email message or text asking you to call a number. Either way, the goal of vishing is to get you to reveal your personal data, account numbers, or security codes by phone so that cyber thieves can use that information to access your cash or credit.
Vishing can be hard to spot, because scammers have gotten so clever and resourceful about fooling their targets. For example, you might receive a call from a number that matches one used by a familiar organization, such as a bank, credit union, retailer, or government agency. Since the number seems to be credible, you probably answer the call and aren't suspicious.
The problem: Scammers are using readily available services that enable them to spoof1 (that is, fake) the number that shows up on your caller ID, while hiding the real origin of the call.
Scammers often "spoof" phone numbers that look like they're coming from a company you trust so that you'll answer their call.
Pretexts for vishing calls
Let's say you answer or return a call from a number that looks legitimate. The person on the other end, pretending to represent your bank, tells you some suspicious charges have been made using your debit card. They will cancel your card and issue you a new one, but first they need your PIN, your security code, and the answer to your security question for “verification."
Another version involves a recorded call that instructs you to enter your PIN or other information to be connected to someone regarding a problem with your account. Cybersecurity reporter Brian Krebs shared the story1 of a cybersecurity professional who was targeted for such an automated vishing attack with a message from someone claiming to represent AT&T. No detail was spared to make the setup seem real, right down to a sound effect mimicking the telecommunication company's four-note jingle.
Other variations of vishing bait include solicitations of charitable donations (often after natural disasters), offers of free vacations and other prizes, pitches for investments and foreign lotteries, and emailed messages for you to call the number of a service to remove a virus that's infected your computer.
- If you receive an email from a company that you do business with and they ask you to call them, never call the phone number in the email. Instead, use the customer service phone number on the company's website.
- If you receive a phone call from a particular company or organization but you did not initiate the contact, never disclose any personal information about yourself over the telephone. Real representatives of banks, retail companies, government agencies, and other organizations would not request this kind of information through an unsolicited phone call.
- Another red flag is when the caller conveys a sense of urgency, insisting you must provide the information they are requesting immediately. As soon as the caller requests personal information from you and begins to pressure you when you refuse, hang up.
- Never give out your Social Security number, passwords, account numbers, or any other personal or financial details over the phone, especially if you did not initiate the call. Exercise caution when the phone rings so you can protect your identity and your money.
Why working from home may put you at more risk
Many people don't tend to answer their cell phone while at work — unless it's from someone they know and they suspect it might be urgent (say, a spouse, a parent, or a child's school). And it's a common practice to let all unknown numbers go right to voicemail.
But when you move to working at home, all of this changes. Some people may begin to answer every call that comes through, even if they don't recognize the phone number. And if they think the call could have any connection to work, they continue to talk, even if they don't know the person who is calling — or don't quite understand why they're getting the call.
One way to protect yourself: If it's not a phone call from someone you know — or it's not a phone call you were specifically expecting (say, someone calling from your office to help you with your work from home setup) — hang up. If you think there's even a small chance the call may be real, first get the caller's name, their company name, and their department. Then you can either call or email them back or using information you find on a website or a company directory.
How to report vishing
If you've been targeted with vishing, report the incident to the Federal Trade Commission.2 Just select a category and use the FTC's Complaint Assistant to fill out a report online. The agency doesn't resolve individual complaints, but it will share your report with law enforcement authorities and provide information you can use to seek a remedy.
Important Disclosure Information
This content is general in nature and does not constitute legal, tax, accounting, financial or investment advice. You are encouraged to consult with competent legal, tax, accounting, financial or investment professionals based on your specific circumstances. We do not make any warranties as to accuracy or completeness of this information, do not endorse any third-party companies, products, or services described here, and take no liability for your use of this information.
Do you have questions or ideas?
Share your thoughts about this article or suggest a topic for a new one