What is Vishing? Definition, Examples and Prevention Tips

Vishing is a type of phishing scam that takes place over the phone.

Vishing attempts to con potential victims into surrendering personal information such as passwords, card details and PINs, which can be used for identity theft.

How does vishing work?

In vishing scams, fraudsters use social engineering techniques to obtain victims’ information.

Posing as someone from a trusted organisation, such as a bank, they will create a sense of urgency, pressuring the recipient into giving up their details before they have a chance to think about what they are doing.

Examples of vishing

  • HR scam

In this scam, an organisation’s HR manager receives a phone call from someone claiming to be from the bank.

The manager is told that a data breach may have exposed their personal information and is asked to provide their username and password to access the company account so that it can be checked.

Thinking the call is legitimate, the HR manager gives the caller all the details.

  • Bogus tech support

There are several ways that scammers can pose as tech support. In the most common, they create a pop-up spam message in an Internet browser that claims that the individual’s computer is infected with malware, and to phone the number listed to get support.

When you call that number, you are directed to a fake support centre with someone claiming to provide tech support. They will request remote access to the device to perform a fake vulnerability scan to detect the “virus”.

The scammer will then download a piece of software that appears to fix the issue. However, that software itself contains malware – typically a keylogger that tracks everything that the user types on their machine, such as passwords and other sensitive information.

  • Telemarketing scam

Telemarketing scams are one of the most common and straightforward types of vishing. Someone phones claiming to be from a legitimate company and offers you a chance to win a prize.

All you have to do is provide your details to claim the prize. This might include your name, address and – occasionally – your bank details.

In reality, there is no prize and the caller is collecting this information to perform fraudulent activities.

  • Phony government agency

In this scam, the caller claims to be from a government department and asks you to confirm identification details.

They often do this under the guise of being of tax or social security payments. The scammer might claim that you are entitled to a tax refund or, by contrast, that you haven’t paid your taxes and could be subject to a legal investigation.

How to prevent vishing

It can be challenging to spot a vishing attempt.

It’s important to remember not to give out any information about yourself in response to an unsolicited phone call, no matter how harmless it seems.

If you fall victim, you must take immediate steps to protect your information, such as changing your password, contacting your bank and checking your bank operations.

You can reduce the chances that an employee will hand over confidential information or inadvertently infect your systems with GRC E-Learning’s interactive training course.

Designed by experts, our Phishing Staff Awareness E-learning Course will help employees identify and understand phishing scams, including vishing, explains what could happen should they fall victim, and shows them how they can mitigate the threat of an attack.


A version of this blog was originally published on 13 November 2018.

Author

  • Luke Irwin is a writer for IT Governance. He has a master’s degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology..