Vishing scams were still relatively uncommon at the outset of 2021. But now? We are seeing them on a weekly basis. Read how vishing phone scams have changed, why they’re dangerous, and learn five tips to stay off the hook!
Vishing, or voice phishing, is a form of phishing that happens by phone. In vishing, the scammer uses social engineering to get the victim to share their personal information over a phone call. The scammer may, for example, pretend to represent a legitimate company to establish trust with a victim. The scammer then manipulates the victim into sharing sensitive personal information such as their name, credit card details, social security number, and credentials.
Vishing can happen in all sorts of ways. Traditionally, the attacker makes first contact by directly calling the victim's number and impersonates a bank representative, or someone claiming the victim has won a prize, and so forth. But the vishing attempts we at Hoxhunt have been seeing lately look a bit different.
In these recent vishing attacks, the threat actor first uses email to hook the victim. The email is crafted with a sense of urgency that the victim must call a phone number provided in the email body, lest an undesired payment occur. Once the victim calls the number, the vishing begins.
Below are 3 different vishing email examples, all of which follow the same pattern:
The scammer is sending a message claiming that a free trial will soon end, whereupon $89.99 will be automatically charged to the victim’s credit card. This hypothetical subscription may only be canceled by calling the number in the email. That’s an immediate red flag. But victims are pushed to believe their only option is to call the number.
Medical Reminder Services send regular reminders to users to take their medicine on time. In this particular case, no company or representative is actually mentioned by name; only a generic “Medical Reminder Service” signature is provided. This is a big red flag.
This one is impersonating Amazon - the attacker even bought a domain called “amazn-primeshoppingus.co” from which the email has been sent. This tactic is meant to make the email seem more authentic. However, closer scrutiny reveals several mistakes in the text that Amazon would never make. For instance, the ‘A' in amazon is written in lowercase, and there’s a space before the comma.
Once again, only a fake help desk number is provided for contact info. How can you be sure it’s fake? A good way to indentify vishing numbers is to Google them. Here, for instance, is what comes up after googling the above fake Amazon number:
Geek Squad is a multinational consumer electronics company that has unfortunately been impersonated in a large vishing campaign as well. This particular campaign, also leveraging automated subscriptions, has been widely distributed. When googling the vishing number, loads of people pop up reporting the scam. Impersonating a well known company is a popular phishing technique because it elevates the feeling, and the potential, of legitimacy. The victim might actually be using the impersonated company’s services, after all.
So, what happens when victims of a vishing scam call the fake help desk number? Often, the scammer asks for the victim's credit card details to supposedly check if the card has been charged in the event of a mistaken order placement. They might also demand the victim’s social security number or other personal details while pretending to clear up the mistake.
Stay tuned! We’re planning to reach out and touch these vishing scammers ourselves with a call from within a threat-controlled safe environment!
The Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button.