Voice over Internet Protocol (VoIP) telephony is increasingly popular thanks to the lower cost, robust feature sets, and high-level of both portability and mobility. As a result, scammers are also finding ways to take advantage of the technology. This has led to the rise of vishing.
What is Vishing?
Vishing – short for voice or VoIP phishing – is a tactic used by scammers to trick call recipients into believing they are a legitimate person or business. In its most basic form, the scammer merely claims that they are a reputable person or company and tries to steer the call recipient into giving them sensitive information, such as financial, personal, or organizational details.
In these versions of the attack, spotting a scammer is not overly complex. Often, the experience is not unlike the scam calls where the caller claims to be from the IRS and then proceeds to threaten the call recipient.
However, there are more technically complex variants of vishing. These more sophisticated attacks often involve spoofed caller ID information and phone numbers, making it appear as though the call is coming from someone (or somewhere) other than its actual origin.
Since many people believe the information they see on their caller ID, the scammer is creating a false sense of trust by aligning themselves with a safe entity. Then, the scammer takes advantage of the situation, asking questions to encourage the call recipient to disclose sensitive information.
Scammers often use VoIP solutions for vishing attacks. In comparison to traditional landlines, VoIP can be harder to track, making it difficult for authorities to find the attackers. Additionally, the caller may actually be in another country, leaving local law enforcement with little power to act.
How to Protect Your Company from Vishing
Education is often the best defense against vishing. Informing your employees of the threat is an important first step, but you also need to give them tips to help them vet callers.
For example, if they receive a threatening call from someone claiming to represent a legitimate business or organization, you and your employees should write down what the caller is saying. Then, hang up and contact that company or organization directly, using a phone number from the entity’s own website or one that is known to be valid, and verify if the information received was correct.
Similarly, setting protocols regarding what company (or personal) information should be given over the phone during an incoming call can make a difference. You can’t rely on caller ID to confirm a caller’s identity in all cases, as spoofing the origin information is something scammers often do.
Additionally, filing a complaint with the FTC after receiving a scam call can be helpful. The more information the FTC collects, the better chance they have at stopping a particular scammer from trying to trick anyone else.
Ultimately, vishing can be a real threat, so it is important to remain vigilant and train your staff to recognize the signs of a scam call in progress.