What is 'vishing'?

You may have heard of “phishing”, but you’ve probably experienced “vishing” (or ‘voice phishing’) as well. This is when you receive a call from someone, either a real person or an automation, encouraging you to take an action or give them sensitive data.1 They use social engineering tactics to create trust, then a sense of urgency to overwhelm you into giving them what they ask for.2 

These calls can contain personal information about you, such as your name, workplace, and interests, found online by the caller to establish credibility.3 Fake caller-ID programs can also be used to give the vishing attempt a local area code, or make it appear to be a 1-800 number to make you more likely to answer.4 Then the caller will tell you why they need your info, and convince you to give it to them. 

Vishing is incredibly common, and you have likely received several “robocalls” this year, or even today. Some common tropes the vishers will use are:1

  • There is a problem with your EID and the "Help Desk" needs to send you a Duo Push.
  • There is a problem with your bank account.
  • You won something.
  • You owe money to the IRS.
  • You, or someone you love, is in legal trouble.
  • You need to do something for the help desk at your workplace.

Vishing is a process. Many times, the first call you’ll get is completely silent. This is called a “validation call”. Automated vishers can call thousands of numbers at once to figure out which have a real human on the other end. By answering these silent calls and saying, “Hello?” you’re marking yourself for future vishing attempts.5

From April 2017 - April 2018, Americans lost $8.9 billion to phone scams, increasing by 22% from the previous year.6 Keep reading to learn more about how to recognize and protect yourself from a similar fate. 

Who is at risk?

Everyone is at risk of becoming a victim for vishing. IT support personnel should remain on high alert as the nature of their job is to provide information to callers. Without realizing, you could be giving someone sensitive company information that can be used for exploitation later.

What information is asked for?

Sensitive data or access is any information that should be protected from everyone it does not pertain to. Should someone else get a hold of it, it could hurt you. Examples include:1

  • Your social security number
  • Your bank/credit card information
  • Passwords

Vishing attacks can also ask you to do something to give them access to your computer, such as completing a two-factor authentication via a Duo Push (e.g., if your password has already been phished by the attacker), giving them control of your mouse, going to a certain webpage, etc. This is equally as dangerous, as it can give the scammers a way to obtain your sensitive data themselves. 

Tips to protect yourself

It may be hard to differentiate between a friendly caller and a scammer that is trying to hack you, especially when both may ask you for personal information. There are specific red flags to look for that can immediately alert you to a vishing call, actions to look out for, but above all, remember not to trust anyone.
 

Red Flags

  • Unknown callers 
    The first thing to think about when answering a phone call is do you know who is calling you? Stay away from any number you don’t have saved or aren't able to recognize. Vishers can use a 1-800 number to fool you into thinking they are official. Even when there is a caller-ID, it’s important to stay aware and make sure their identity can be verified.4
  • A sense of urgency
    If there is an urgent call-to-action, that should be a red flag. It is common for vishers to insist you give them information promptly to prevent any serious consequences. This is because it is easier to get a hold of information when someone is distraught and under pressure. Before making any rash decisions, users should try to get any information from the caller that they can without providing any of their own, and then access a third-party source to find a public phone number to call for verification. 3
  • Unexpected "Help Desk" calls
    IT support staff at the university will never initiate a call to you asking you to accept a Duo Push to solve some sort of problem. If you encounter a call like this -- end the call and call the UT Service Desk (512-475-9400) to validate the call's origination.

Be Aware

  • Giving out personal information 
    Never give personal, bank, or login information over the phone or input them on a website unless you can verify that the caller or website is genuine. Never give remote access to your computer to anyone who calls you. Also be aware of any information about yourself you have made available to the public, and how it could be used against you.
  • Vishing can peak certain times of the year
    During tax season it is common for vishers to mimic the IRS or tax prep firms. During election season it is common for vishers to pretend to be from reputable political organizations or campaigns in the hopes of getting you to support them financially. Sadly, it is common for vishers to reach out when users are emotionally vulnerable, usually after a large-scale tragedy or natural disaster. They will pretend to be charities asking for you to donate with your credit card information.8

Don’t Trust

  • Don’t connect to a website
    Never connect to a website if advised to by the caller. This is more than likely an attempt to download malware onto your computer or take remote control of it. Similarly, be wary of any links you click that inform you to call a toll-free number. 
  • Prevent phone calls 
    Register your number with the national Do Not Call registry at donotcall.gov
  • Verify information
    Whether the caller-ID was known or not, you should always have the caller verify their identity. Ask them to tell you something that someone in their position should know and can’t be found to the public. 2
  • Multi-factor authentication requests
    Never accept a Duo Push request from an unexpected person calling you.  If they already have stolen your password this might be their last hurdle to gaining access to your accounts. By accepting a Duo Push, you could be allowing the attacker to add their smartphone to your list of approved multi-factor devices.  At that point, you would not easily know when they were accessing your accounts.

What to do if you've been attacked

  • Notify UT Service Desk as soon as possible 
    If you do give access to your computer notify the UT Service Desk. 
  • Report incidents to the FTC
    It’s recommended to report any vishing calls to the Federal Trade Commision at www.ftc.gov or calling (888) 382-1222. You’ll be asked for the name that appeared on the caller ID along with the time they called and what information was asked of you. You can also contact the Internet Crime Complaint Center if you think you’re a victim of an attack. 3
  • Contact your service providers 
    This includes banks, credit card company, and mobile phone provider to advise them that your information may have been compromised. 
  • Review your approved multi-factor devices
    Ensure that no unauthorized devices are associated with your Duo profile by reviewing your devices from the Self-Registration Portal.

1 https://www.comparitech.com/blog/information-security/what-is-vishing-how-to-avoid/ 
2 https://resources.infosecinstitute.com/what-is-vishing/#gref
3 https://www.kaspersky.com/resource-center/definitions/vishing
4 https://www.knowbe4.com/vishing
5 https://www.npr.org/sections/alltechconsidered/2015/08/24/434313813/why-phone-fraud-starts-with-a-silent-call
6 https://www.globenewswire.com/news-release/2018/04/26/1488339/0/en/Estimated-24-9M-Americans-Lost-8-9B-in-Phone-Scams-as-Rate-of-Spam-Calls-Jumps-22-According-to-New-Report-from-Truecaller.html
7 https://www.social-engineer.org/framework/attack-vectors/vishing/
8 https://southfloridareporter.com/answer-at-your-own-risk-5-things-to-know-about-vishing/