The term ‘vishing’ is combination of ‘voice’ and ‘phishing’, a practice we have addressed in a previous security tip. Vishing is simply using the act of social engineering over the telephone. It is another way for people with malicious intent to gain access to personal and financial information resulting in the identity theft of the victim. Typically it is used to steal credit card numbers or bank information.
Example of a vishing attack:
- A criminal makes calls using a list of phone numbers stolen from a financial institution.
- Upon answering the call, the victim hears an automated recording more than likely created through a ‘text to speech synthesizer’. In the message the victim is ‘alerted’ to the fact that their credit card or bank account has had ‘fraudulent or unusual’ activity and is instructed to call a phone number immediately.
- Part of the trap is that often that same number is also displayed on caller ID, possibly even with a bank name. It gives the victim the (false) sense that he or she is dealing with a real problem that needs to be handled.
- When the victim calls the number that was given, it is answered by an automated system which instructs to enter a credit card number or bank account number on the phone’s key pad.
- The call is often also used to obtain additional details such as PIN#, expiration date, date of birth, etc.
- When the credit card number or bank account number etc. is entered, the visher has all information needed to make fraudulent use of the card or to access the victim’s bank account.