Cybersecurity and Fraud Protection
How to Recognize and Combat Vishing Schemes
Learn the telltale signs of “vishing” schemes, in which criminals use phone calls or automated phone services to impersonate third-party vendors, payments employees or executives at a company in an attempt to gain the employee’s trust.
“Vishing,” which is a combination of “voice” and “phishing,” is a form of social engineering designed to lure an employee into providing sensitive or personal information. Criminals often use a variety of questions and approaches to obtain information that will help them gain access to a company’s financial accounts and transfer funds to a bank account that they control.
Potential Signs of Vishing
- The incoming phone number may look odd or very short, or even similar to a cell phone or company phone number.
- A criminal may mumble fake information in order to obtain the real personal information by attempting to have the victim clarify the information.
- There may be a sense of urgency to the request. A criminal might imply that there will be problems if the employee doesn’t provide the information quickly, or they use a positive approach, saying, “If you get this for me right now you will be a hero!”
- Be on the alert for unexpected calls offering or requesting help. A criminal may ask for help while impersonating another employee or executive. Always validate these types of requests by calling the employee or executive at a known telephone number.
Criminals may use these vishing approaches to persuade an employee to provide confidential information:
- “You need to make a transfer to a safe account.”
- “We’ve detected fraud on your account.”
- “I’m a police officer.”
- “I’m one of your suppliers.”
- “Please confirm your online banking code.”
- “I’ll need your card details.”
- “Your payment hasn’t gone through.”
- “Tap your Personal Identification Number (PIN) into the phone.”
- “Just for security reasons . . .”
- “Please confirm your account password.”
- “I’m calling from your bank.”
- “Your payment is overdue.”
What to Do
Verify and validate an unknown caller’s identity at a known telephone number before revealing any sensitive information about the company or employees.
If a caller claims to be a client, third-party vendor or regulator, ask for a telephone number and say you will call back. Then verify the number is correct before calling back.
Validate with a known contact any change in payment requests or instructions, including the use of a new bank account number, before processing.
Block the caller’s number and notify your company’s IT or cyber controls department of the vishing attempt.