Vishing Scams are Increasingly Difficult to Detect


Phone scams are becoming more convincing as attackers devise new ways to sound legitimate. KrebsOnSecurity recently spoke with several readers who'd been targeted by voice phishing, or vishing, and found that even tech-savvy people familiar with such scams often struggle to recognize them.

Vishing scams take advantage of the lack of authenticating information in a phone call. Scammers use freely-available tools to spoof the number displayed by caller ID, posing as faceless employees from institutions such as banks and government agencies.

Matt Haughey, creator of the community Weblog MetaFilter and writer at Slack, told KrebsOnSecurity that he fell for a vishing scam that left him with just $300 in his account. Haughey said he received three calls in quick succession from the number used by his credit union.

When he picked up on the third call, a female voice informed him that the credit union had blocked two suspicious charges to his debit card made in Ohio. She then read him the last four digits of his card, which were correct. When Haughey told her that he would need a new card immediately, the caller read out his entire home address.

Now fairly convinced that the call was legitimate, Haughey proceeded through the card replacement process, providing the caller with the answer to his security question, his card’s CVV, and his current PIN. Soon afterwards, he learned that his account had been nearly emptied.

Fully-automated scams can also be very persuasive, according to "Jon," a KrebsOnSecurity reader with over thirty years of professional experience in cybersecurity. Jon received an automated call, supposedly from AT&T, which informed him that his account was about to be suspended for non-payment.

The recorded voice asked him to enter his security PIN to be connected to AT&T’s billing department. Jon saw through the scam because he has been a T-Mobile customer for several years, although his phone number originally belonged to AT&T. However, he says the scam sounded convincing enough that most people would have fallen for it.

Cabel Sasser, founder of a Mac and iOS software company called Panic Inc., told KrebsOnSecurity that he successfully thwarted a scammer who appeared to be calling from his bank by politely telling the caller that he would call back momentarily, and then hanging up. When he dialed in the support number on the back of his ATM card—the same number that had appeared on caller ID—Sasser was connected to a bank representative who confirmed that the previous caller had been lying.

People can only rely on their wits to recognize a phone call as suspicious. Since phone calls require a person’s immediate attention, victims are often unable to verify any information stated in a call until after they’ve hung up. New-school, interactive security awareness training is a crucial resource to provide users with the alertness and quick-thinking necessary to defend against vishing.

KrebsOnSecurity has the story:

Topics: Phishing

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews