Pretexts for vishing calls
Let's say you answer or return a call from a number that looks legitimate. The person on the other end, pretending to represent your bank, tells you some suspicious charges have been made using your debit card. They will cancel your card and issue you a new one, but first they need your PIN, your security code, and the answer to your security question for “verification."
Another version involves a recorded call that instructs you to enter your PIN or other information to be connected to someone regarding a problem with your account. Cybersecurity reporter Brian Krebs shared the story1 of a cybersecurity professional who was targeted for such an automated vishing attack with a message from someone claiming to represent AT&T. No detail was spared to make the setup seem real, right down to a sound effect mimicking the telecommunication company's four-note jingle.
Other variations of vishing bait include solicitations of charitable donations (often after natural disasters), offers of free vacations and other prizes, pitches for investments and foreign lotteries, and emailed messages for you to call the number of a service to remove a virus that's infected your computer.
- If you receive an email from a company that you do business with and they ask you to call them, never call the phone number in the email. Instead, use the customer service phone number on the company's website.
- If you receive a phone call from a particular company or organization but you did not initiate the contact, never disclose any personal information about yourself over the telephone. Real representatives of banks, retail companies, government agencies, and other organizations would not request this kind of information through an unsolicited phone call.
- Another red flag is when the caller conveys a sense of urgency, insisting you must provide the information they are requesting immediately. As soon as the caller requests personal information from you and begins to pressure you when you refuse, hang up.
- Never give out your Social Security number, passwords, account numbers, or any other personal or financial details over the phone, especially if you did not initiate the call. Exercise caution when the phone rings so you can protect your identity and your money.
Why working from home may put you at more risk
Many people don't tend to answer their cell phone while at work — unless it's from someone they know and they suspect it might be urgent (say, a spouse, a parent, or a child's school). And it's a common practice to let all unknown numbers go right to voicemail.
But when you move to working at home, all of this changes. Some people may begin to answer every call that comes through, even if they don't recognize the phone number. And if they think the call could have any connection to work, they continue to talk, even if they don't know the person who is calling — or don't quite understand why they're getting the call.
One way to protect yourself: If it's not a phone call from someone you know — or it's not a phone call you were specifically expecting (say, someone calling from your office to help you with your work from home setup) — hang up. If you think there's even a small chance the call may be real, first get the caller's name, their company name, and their department. Then you can either call or email them back or using information you find on a website or a company directory.
How to report vishing
If you've been targeted with vishing, report the incident to the Federal Trade Commission.2 Just select a category and use the FTC's Complaint Assistant to fill out a report online. The agency doesn't resolve individual complaints, but it will share your report with law enforcement authorities and provide information you can use to seek a remedy.