Social Engineering, Identify Theft, and “Vishing Attacks:” How to Avoid Being Ripped Off by Phone Scams

New technology is a marvel. Every month, it seems, there’s a new breakthrough, and for the most part, we grow to love it. After all, who really wants to return to the days when we had twelve channels on TV?

But every new technology also seems to usher in a new wave of unscrupulous, enterprising scammers looking for ways to make a dishonest buck.

In fact, if you’ve begun to notice that most calls you receive on your mobile phone these days are robocalls from numbers you don’t recognize, you’re onto something. In 2018, a brand-new report says Americans received (and for the most part, rightly ignored) 29.3 billion automated phone calls—many of them attempted scams. A data security firm recently predicted nearly half of all calls made to cellular phones in 2019 will be fraudulent —the kinds of calls that lead to identity theft.

In fact, in 2017 identity fraud hit an all-time high. 16.7 million Americans were impacted, with losses of $22.1 million. That means the time to get smart about robocalls is now. And in the case of unsolicited phone calls, the best phone etiquette is to be rude.

Social Engineering Attacks

Social engineering relies on psychology and good manners to gain cooperation. It is targeted psychological manipulation. And it is nefarious. (In 2016, a skilled social engineer was notoriously able to add herself to a tech journalist’s cell phone account, change his password, and add a nonexistent daughter to the account, all on camera while he watched, simply by playing a recording of a crying baby in the background and acting flustered and grateful…while a naïve, customer service rep essentially handed his account over to a total stranger.)

One of the earliest types of social engineering attacks came in the form email-based identity theft scams called “phishing”—a novel spelling of “fishing.” In phishing schemes, legitimate-looking emails trick people into clicking on links that send them to fake web sites that look like legitimate bank, credit card, or other trustworthy sites, where they “log in” and “verify” their identities using real account data and sensitive personal information (full names, account or social security numbers, account passwords, and so forth).

As consumers have grown wiser about these scams (and spam filters have grown more effective at deleting phishing emails), scammers kept up, finding new ways to try to obtain that information. Thus, Voice Phishing, or vishing, was born, also known as a phone scam.

It’s easy, after all, to ignore an email. But it’s sometimes harder to ignore a person (or “company”) who took the time to calls and try to help you. That’s where the power of social engineering comes into the equation.

The truth is, most of us have been trained since birth to be kind, polite, and grateful. And unfortunately, that very training is weaponized by vishers, who rely on our social graces to worm their way into our wallets.

Then there’s the phone scam fear factor.

What if you received a frantic phone call about a beloved niece, traveling alone in a remote area? (Thanks, Instagram/Facebook/Twitter selfies!) What if the caller told you she’s been in a terrible accident, her parents can’t be reached, she needs lifesaving surgery, you’re listed in her phone as her next-closest relative, and…you need to urgently wire $10,000 for emergency surgery to the hospital at Account Number XX-XXXXXXXXXX?

Family emergency phone scams are so common, in fact, the United States Federal Trade Commission has issued a specific warning against them.

It’s almost enough to make you consider never answering your phone unless you recognize the caller ID again, isn’t it?

How to Protect Yourself from Vishing Attacks and Phone Scams
  • Use your voicemail. Let your phone do the heavy lifting for you and let voicemail screen your calls. If you don’t recognize the number of an incoming call, let it go. Check the message afterwards and decide whether it sounds legitimate or not. If a message says there is a problem and you should return a call, double-check the number online or with directory assistance. Don’t simply call the number without verifying it’s a legitimate number.
  • Turn the tables. If you answer a call and an unsolicited caller asks you to verify your identity by providing secure details only you would know (such as account information, PINs, or other personally identifying information), ask for the caller’s own verifying information, including full name, department, branch, and a main switchboard callback number. Then insist on calling back in your own time, at your own pace. Very few things are so urgent they require immediate action within the next ten minutes to one hour. Slow it down. Take your time. “Urgent!” is Almost always a red flag.
  • Never provide sensitive, personally identifying information over the phone if you did not initiate the call. Medicare, the IRS, credit card companies, and other legitimate organizations never call consumers directly, out of the blue, and ask for personally identifying information. It’s really that simple. (If you called them, of course, then it’s not only OK to verifying your identity; you should be thrilled they’re asking.)
  • If you have a smartphone, use a spam-call blocking app. Hiya and Truecaller, both free for IOS and Android phones, offer powerful caller identification and blocking capabilities beyond the built-in features of most cellphones and can be useful adjuncts to help manage the ever-increasing number of junk calls that aren’t covered by the national do-not-call registry (which many vishers, located outside the U.S., simply ignore anyway).
  • Ask your cellular provider about enhanced spam and scam call blocking technology. Nearly every cellular provider offers low-cost or no-cost add-on features for an extra dollar or two per month that can significantly cut down on the number of unsolicited calls you receive.
  • Get ready to avoid the next scam. Smishers are out there, working on the next version of identity-theft. (Smishing? What’s smishing? Glad you asked. It uses SMS [text messaging] for the same goals as vishing or phishing. In other words: Same scam, different day.)
Share this on social:

Leave a Reply

Your email address will not be published.

Back to Top