A Look into Vishing Scams on the Rise

In today’s world of online communications there are a number of associated threats. You may think that using an “old-fashioned” way of contacting someone, like a phone call, would be safer. Unfortunately, whilst email scams are still a substantial money earner for cyber-criminals, phone scams are growing in popularity.

The practice of Vishing (aka Voice Phishing) has been around for many years. Vishing is the act of using the telephone in an attempt to scam the user into surrendering private information that will be used for identity theft. The scammer usually pretends to be from a legitimate business. Consumers have become somewhat complacent about sharing personal information over the telephone with companies they perceive to be legitimate. Criminals pray on this complacency to gain information by offering incentives such as tax refunds or rebates from service providers. In any of these examples, the consumer ends up losing money and the innocent brand being impersonated in the attack has their reputation tarnished.

FraudWatch International has a client who has suffered from multiple Vishing attacks over recent years.  Their customers were receiving convincing phone calls from individuals purporting to be from their legitimate taxation business. During these calls, clients were asked to provide sensitive information and/or to transfer funds. These bogus phone calls demanded that there were unpaid bills, and tricked customers into providing financial information, which lead them to pay money that they did not need to pay. Our client was receiving hundreds of reports per day from customers in relation to these bogus phone calls. Customer phone numbers can be easily obtained from the publicly available telephone directory making it very easy for criminals to launch these attacks. The attacks continued over several years, with customers being scammed out of thousands of dollars.  The attacks were also covered by various news and media outlets, resulting in considerable brand damage and loss of customer confidence.

Criminals often use Vishing as part of a multi-pronged attack strategy that also includes Phishing and Brand Abuse.  FraudWatch International’s security analysts consistently see attacks which comprise of a website that copies a Brand, and then uses a Phishing component (within the same website or possibly a second site) to obtain the client’s credentials. Vishing is used to directly target the client on the phone and is legitimised by the presence of the fake sites.

There is often a spike in Vishing at tax time with scams impersonating government taxation departments. People often fall for these types of phone scams, because they don’t keep track of their taxes, and therefore it could be plausible that the tax office owed them money, or that they had made a mistake on their tax return and now owe the tax office money. Another trick scammers use, is to create a fake Caller ID, so that the number you see on your phone’s display seems legitimate. This technique is called ‘Caller ID Spoofing’ and is extremely easy to achieve, particularly with Voice Over IP (VOIP).

FraudWatch International was able to step in and assist our client’s business by blocking over a hundred Vishing numbers using our tools, processes and personnel that are highly trained in identifying Vishing attacks.   Our experts liaised with our client’s legal team, the local law enforcement agencies along with the telecom service providers who managed the services used in the attacks. This has successfully deterred the scammers from targeting this client so fervently. Whilst the attacks have not completely stopped for our client, support teams at FraudWatch International have maintained the takedown of any vishing numbers through our Anti-Phishing and Brand Abuse services, and have succeeded in increasing awareness of the scams with customers of this client.

The core Brand Protection services provided by FraudWatch International, cover all 3 attack components – Brand Abuse, Phishing and Vishing.  Each time we detect and actively pursue one of these incidents, we look for the presence of the other attack types and actively take them down as well. We find that this holistic approach to eliminating all possible attack vectors, is the most effective way to properly shut down an attack and protect your brand and your customers.