Guards Up, Phones Down: Avoiding Voice Phishing Scams and Social Engineering Tricks
Social engineering tools and tactics have transformed in recent years, and we often stress here on Hedge IT the importance of IT security, particularly when it comes to sophisticated phishing and spear-phishing campaigns via email.
One tactic we haven’t touched on is voice phishing (also known as ‘vishing’), which works towards the same ultimate goal – prompting an end user to take some kind of action that causes an exploit in the user’s system or a fraudulent wire transfer – except this time it’s done over the phone.
Voice phishing scams are growing in popularity, often catching busy users at the end of their work day with their cyber defenses down, hoping they’ll ignore the best practices they’ve learned and instead provide sensitive information to the person on the other end of the phone.
Here are a few recent examples of voice phishing scams we’ve seen:
IRS Robocalls. At the end of tax season earlier this year, many people found themselves fielding threatening calls from scammers posing as Internal Revenue Service employees insisting they’re owed money. Unfortunately, these robocall scams worked. According to the Treasury Inspector General for Tax Administration, more than 10,000 victims have paid a collective $55 million since October 2013. TIP: The IRS almost never contacts taxpayers via phone (or text, email or social media). If they want to get in touch, they’ll send you a letter.
Department of Motor Vehicles. Of a similar nature, vishing schemes have popped up across the US with victims receiving phone calls from supposed DMV employees requesting payments, social security numbers and debit card information. Texting and social media have also become popular avenues for these scams.
Don’t Say ‘Yes.’ Earlier this year, the Federal Communications Commission (FCC) warned consumers about a voice phishing campaign that targeted users who simply answered ‘yes’ when they picked up the phone. That one-word answer, unfortunately, allowed the caller to record a voice signature which can later be used to authorize fraudulent wire transfers.
How can we avoid falling victim to one of these savvy voice phishing scams? Here are a few IT security tips to remember the next time the phone rings:
Don’t answer (unless you know who’s calling).
If you do answer and hear an immediate recording, hang up. Oftentimes, these callers just want verification that they’ve reached a live person. Speaking or pressing any key (oftentimes they’ll prompt for this) means playing right into their hands.
If you do find yourself in conversation with a caller claiming to be a fundraiser or requesting money or personal information, try to verify their identity. Ask for their phone number and tell them you’ll call them back. Or insist that they send you an email (you’ll need to leverage email phishing best practices to vet that too) with more information, which may help discern whether the caller is legitimate or not.
File a complaint with the FCC, which works to identify these scam callers and track them down.