Get Cyber Safe and the Canadian Anti-Fraud Centre (CAFC) offer valuable information on what vishing is and how to recognize the signs. For this blog post, Get Cyber Safe has partnered with the Canadian Anti‑Fraud Centre (CAFC), who, like us, understands how important cyber security is to individuals as well as businesses. We thank them for being a dedicated partner in the cyber security of Canadians.
What is vishing?
Vishing, short for “voice phishing”, is a phishing technique that uses voice communication technology. Cyber criminals, also known as “vishers” when vishing, use fraudulent phone numbers, spoofed (fake) caller ID and voice altering software to trick people into sharing their sensitive information over the phone. In 2022, the CAFC received 21,183 fraud reports from Canadians with the telephone being the initial solicitation method. In those reports, 4,734 people indicated that personal information was provided to vishers. Vishing has become a common scam that is always advancing, so it’s important to understand how it works and how to protect yourself from being a victim of it.
How vishing works
Vishing attacks are crafted using three different techniques: data collection, voice manipulation and fraudulent calls. They can be used separately or all together.
Data collection: Vishers research and collect information about their victims (individuals and organizations) to create a tailored vishing attack.
Voice manipulation: Vishers use voice cloning technology to imitate the voice of someone the victim knows, such as a familiar friend or colleague.
Fraudulent call: Vishers spoof their caller ID and call their victims with a prepared voicemail for a callback.
Vishing is often used to target large groups of individuals by using Voice over Internet Protocol (VoIP) technology. VoIP is a low effort, automated process that sends spam calls to hundreds of numbers to try to catch multiple victims. But vishing attempts can also be targeted towards specific individuals which requires more effort because of the tailored approach in their scam.
Types of vishing
Cyber criminals use many types of vishing to obtain different information they are seeking. Here are some common vishing scams.
Credential vishing: Vishers pose as a familiar individual (financial representative or family member) to trick their victims into offering up their credentials, such as usernames and passwords, to login to sensitive accounts, access funds and make unauthorized purchases.
Government impersonation: Vishers impersonate government or law enforcement agencies by using threatening language or offering refunds, like a tax refund from the CRA, to trick their victims into offering up personal information.
Emergency and grandparent scam: Often targeted at older adults, vishers pretend to be a family member, often claiming to need urgent help, to try and trick their target into sending money or sensitive information.
Telemarketing and retail scams: Vishers pose as company representatives to trick victims into thinking they are being offered a service, special deal or are being given a refund for a purchase to share personal or financial information for the reservation.
Technical support scams: Vishers present themselves as technical support employees of organizations to trick their victims into granting access to their devices remotely to help with a technical issue, only to download malware.
In 2022, CAFC received 1700 reports stating that 7.7 million dollars was lost to emergency and grandparent scams, and 3260 reports indicated that 4.1 million dollars was lost to technical support and service scams. Vishing was the the leading method used for both of these types of scams. .
Spot the signs and avoid vishing
While vishing techniques are creative and often appear difficult to detect there are common signs to help recognize these scams. Here are some tips to avoid vishing scams:
- Listen for poor audio quality
- poor audio quality, a robotic tone or an unnatural rhythm in the caller’s speech is a sign that they are not who they say they are
- Watch out for calls from unknown numbers or automated calls
- it’s okay to let unknown numbers or caller IDs go to voicemail
- Be suspicious of callers that request sensitive information
- no reputable organization or individual will call requesting sensitive information (account access, social insurance numbers, financial information)
- Be aware of scare tactics
- vishers will try to trick you with threatening language to act quickly. Take a moment to assess the situation and call back using a legitimate source if you need to verify the request
- Never share your sensitive or personal information in a received call
- Don’t use your phone’s callback function or phone numbers provided by the caller to communicate
- always seek out the supposed caller’s contact information through legitimate sources like your contacts in your phone or the company’s official secured website
- Do your research
- before agreeing to any suspicious request, hang up and take time to investigate the organization calling using your verified browser (do not use links provided from the caller)
- check out websites, accounts and reviews associated with the company for any suspicious signs
- before agreeing to any suspicious request, hang up and take time to investigate the organization calling using your verified browser (do not use links provided from the caller)
- Check your smart phone for spam protection features
- if available, enable your smartphone’s built-in spam protective features in settings to help block and report spam calls
- consider using a call blocker application to help reject unwanted calls
How to report and further protect yourself
If you suspect you’ve been contacted by a visher or are a victim of a vishing scam, follow these steps:
- Contact any providers for account and financial information to report the scam
- Report the scam to your local police and the Canadian Anti-Fraud Centre
- Seek technical support from a verified company associated with the compromised device or account if you need help restoring it
- Change passwords on accounts that may have been compromised
- Register with Canada’s National Do Not Call List (DNCL) to reduce the number of unsolicited calls you receive
It’s also important to share your experiences with friends and family, especially older adults. This will offer awareness to others and open conversations on how your loved ones should communicate safely if help is needed.
Conclusion
Vishing can be difficult to spot as these cyber criminals get craftier with their techniques. Stay vigilant by understanding the signs and different types of vishing. Share your knowledge and experiences with others to help friends and family get cyber safe.