Between 2011 and 2014, three men working out of Romania seized control of tens and thousands of American bank accounts, totaling more than $21 million in northern Georgia and beyond. They accomplished this through vishing, a scam in which they used a series of phone calls to steal valuable information. The criminals impersonated bank personnel, then called or left automated voicemail messages prompting bank customers to provide their account numbers, Social Security numbers or PINs. The perpetrators were brought to justice in 2019 and charged with wire fraud conspiracy, computer fraud and abuse, and aggravated identity theft (among other crimes). Vishing knows no boundaries, and in this case, the scammers were extradited to Georgia to stand trial.
What is vishing (voice or VoIP phishing)?
Vishing is a scam in which fraudsters make a phone call or leave a message pretending to be from a reputable organization in order to steal personal information, such as bank account details, credit card numbers or Social Security numbers, with the intent to commit identity theft.
Vishing is essentially “voice phishing.” Phishing describes fraudulent emails baiting readers to click on a link or button that leads to a fake (aka “spoofed”) site, where they then unwittingly give up personal information.
How does vishing (voice phishing) work?
The phone rings. Whether you hear a live voice on the line or a voicemail message, the scenario is often the same: Something is wrong with your bank account, or your Social Security number is tied to some sort of criminal activity and has been suspended. Whatever the case may be, the criminals are trying to use fear or intimidation to get you to reveal sensitive information.
Don’t do it.
The FBI started warning the public about vishing as early as 2007. By then, voice over internet protocol (VoIP) had emerged on the scene, which made it possible to take phone calls over the internet at a fraction of the cost of standard calls. Scammers leveraged the technology to create a host of “customer service” lines and automated voices to go with it. Whether they’re using scare tactics or enticing you with cash prizes, the goal is the same: to pressure the victim into sharing personal information, which can then be used to commit identity theft or fraud.
How to recognize vishing
Look out for two common variations of vishing:
- A scam email lands in your inbox, but unlike a typical phishing situation, which prompts you to click a link, this one requires you to make a phone call. The call leads to a scammer’s VoIP account designed to get you to give up your personal information.
- The scammer gets in touch via a phone or text message, which directly prompts you to provide your personal information from your device. Again, the voice isn’t calling from your bank, credit card company or any other legitimate business. It’s a fraudster trying to get you to reveal your personal information.
How can I protect myself from vishing?
Be suspicious of who’s on the line
Scammers might spoof a number with your area code and prefix to make you think a neighbor or local business is calling. Your caller ID might even flash what appears to be your bank’s name or the Social Security Administration. It’s best to pick up only if it’s someone you know or are expecting. Otherwise, let it go into voicemail and assess its authenticity when you play the message.
Recognize vishing clues
If you happen to pick up the phone, you should be skeptical of unknown callers and look for vishing clues. “Listen for unusual pauses between responses to your prompts,” said Juliana Gruenwald, a spokeswoman with the Federal Trade Commission’s Office of Public Affairs. She also advised to ask questions that would be difficult for an imposter to answer. For instance, if the person says he’s from the bank, ask him for the last four digits of your account number; if he says he needs to pull it up, hang up—real bank staff should have your information already on their screen. (However, scammers can be sneaky, and they very well might have your info—so don’t let your guard down.)
Guard your personal information
Legitimate organizations never call you to confirm your account information or ask for personal information. If there’s a problem, then your bank or credit monitoring service would contact you and have your information on hand. Legitimate organizations also do not accept payment in gift cards, ask you to wire money or make a deposit into a third-party account.
Make the call yourself
If you think there may actually be something wrong with your account, hang up anyway and don’t click on any links the caller might send to your email or cellphone. Run a reverse phone search to try and see where the number actually leads. You can also look up the number of the company or agency (by typing in its website, for example) and ask them about the suspicious call. Do not press “redial” or the number that shows up on your caller ID—it will just send you right back to the potential scammer’s phone or VoIP account.
Report shady calls
Both the FBI and the FTC provide ways to register a complaint. Not only will this help lawmakers track down the culprit, the FTC will add that number to their list of possible scam calls, which they release daily. If you suspect you’ve provided sensitive information to a scammer, call the institution you sent the money through (such as the gift card company or wire transfer company) and tell them about the situation. You can also let the local authorities know what happened.
Block unwanted calls
For starters, add your name to the National Do Not Call Registry. This lets legitimate companies know that you don’t want telemarketing calls, though it likely won’t stop scammers. You can also try a call-blocking app or explore call-blocking services through your service provider. Again, this won’t stop vishing altogether, but it should minimize your chances.