Last month, the government released a circular warning its employees of a sophisticated cybercrime— vishing. Short for voice+phishing, it’s a technique wherein a threat actor calls the victim over the phone and tries to trick her into clicking on malicious files or emails, which can then take one to a legitimate-looking website asking her to share personal information. In other cases, the attacker can solicit sensitive information from the victim. It can be so tricky that the caller might appear as the manager or colleague of the victim, enticing her to share sensitive information, at times using urgency as the tactic.
Artificial intelligence only adds to the worry, which aids the attacker to imitate the voice and mannerisms to such an extent, making it easier to trick the victim.
The government’s advisory asks employees to independently verify the callers’ identity and avoid sharing any personal information.
At the same time, understanding the intricacies of a vishing attack can also make you more aware and protect you against it.
So, what is vishing?
First and foremost, voice phishing is carried out through a call on a mobile phone or landline. Here, the attacker typically seeks sensitive information such as financial details or passwords, or other private information.
But why would anyone divulge these? It is because, unlike online scams that rely on malware, vishing uses social engineering, where the threat actor uses psychological tactics to trick the victim into taking a certain action. They can pretend to be your bank, saying your account has been compromised. Or, your boss at work telling you to urgently open an email. Or somebody from a genuine company or government agency asking for your bank information. All pretense. However, what the attackers play upon is a sense of urgency, along with being authoritative, making the victim take a certain action and fall for the vishing scam.
The telltale signs
While a vishing attack is highly sophisticated, there are a few telltale signs that can help you identify such a call:
A pre-recorded message: On many occasions, a vishing call starts with an automated call claiming there’s an urgency related to financial or other matters, making you click a few numbers or take certain actions.
Asking for sensitive information: If somebody calls you out of the blue asking for personal and sensitive information — bank account details, Aadhaar number, etc — it’s a strong sign of a vishing attack. Here, a simple call to the customer care of the company or government agency regarding the issue can help.
Pretending to be a government official: There’s a very slim chance that a government official would directly call you or even email or text. And if you get a call from somebody claiming to be a government official, chances are high that it’s not legitimate.
Using fear and urgency tactics: In case of a vishing attack, chances are that the scammer would stoke a sense of urgency using threat or fear. In such a situation, try to remain calm and refrain from sharing any sensitive information. Instead, try to get the caller to share more information about the matter to make a better assessment of the situation.
Poor audio quality: If in doubt, also pay attention to the call’s audio quality and any background noises. At times, there could be robotic-sounding voices, which could mean that it’s a robocall. Hence, in such a scenario, it’s better to hang up the phone.
What to do against vishing?
Apart from the above mentioned ways, there are some easy actions you can take to combat vishing, such as:
- The simplest thing you can do is screen your calls, and if it doesn’t look right, don’t take it
- If you do take a call that feels suspicious, don’t divulge any details, answer questions, or press any buttons
- Also, it might not be the best idea to confront the caller, as chances are that the scammer might record the conversation and get access to voice-activated menus
- In the end, just trust your gut, and if it doesn’t feel right, hang up and block the number
But what if you fall victim to a vishing attack?
Despite the precautions, if you do end up falling victim to a vishing attack, first of all contact your bank and examine your account. Then, change passwords to your sensitive accounts. And don’t forget to report to the police.
