Cybercriminal activity has many terms that are part of the mainstream vernacular. The dark web, breaches, and most people have heard of phishing, even if they don’t know how to recognize a fraudulent email. In fact, Google recently warned nearly 5 million people in a recent week about potentially harmful sites that they are about to visit! FIVE MILLION in one week. And with that in mind, if your company isn’t enrolled in our Security Awareness Training, you’ll want to make sure you integrate that into your Managed Services asap!
But one term that people aren’t as familiar with is vishing. A shortened version of the phrase ‘voice phishing‘, vishing is when the attacker obtains the victim’s data over the phone by getting them to reveal identifying information. Whereas phishing requires the victim to click on a link, vishing only requires conversation or voice responses. And because they are often caught off guard by the phone call, they may willfully provide information to the person calling. Vishing is not exclusive to any one type of phone call and can occur over a landline, mobile line, or VoIP (voice over internet protocol).
It’s difficult to verify a caller when you can’t see them – you usually ask questions and trust what they say. But with cybercrime in today’s world, you should never assume that the caller is safe. You should ask where they are calling from and for a callback number. Never give out any identifying information or confirm what they might ask you. Go to the trusted website of the caller and then call back in to inquire about the issue or call that you received. Even if the caller provides legitimate information, you should not confirm, as it might be stolen, and they need verification.
The caller might incite a sense of panic or fear of the situation – try your best not to react and know that a legitimate business would not want to cause alarm like that with their clients. Do not react because they have told you that it is time-sensitive or that they are a government agency. You should be skeptical if they are making promises of payment or free offers.
These calls can be for a variety of reasons. They may be robocalls or done via technology that maximizes call times for agents and their companies. The Federal Trade Commission (FTC) has warned that these calls can lead to fraud by verifying a phone number is legitimate once answered. This can relate to the Initial Access Brokers that we mention in this blog, who merely validate information to pass along to hackers.
Do now answer unknown or suspicious calls. There are many ways that cybercriminals are working around this, including altering caller id, so remain on guard even if the number appears legitimate or familiar. Do not press buttons or respond to prompts for information or confirmation. And never give out personally-identifying information.
You can also sign up to be on the Do Not Call Registry and report any fraud to the FTC.
Our Security Awareness Training can help you and your employees spot all kinds of suspicious behavior. Give us a call to find out more!