“AHA advises hospitals to be alert for potential ‘vishing’ attacks”

 “Hackers Extradited to U.S. over $18M Vishing Scam”

Vish is the new Phish!

Have you received a threatening call from the government? The urgent message will demand that you pay an immediate fine or tax or penalty; or else face imminent arrest by the IRS, or revocation of your medical credentials, or something even worse. 

These calls are known as “vishing” campaigns in the espionage and social engineering subculture. Vishing is a social engineering technique very similar to the familiar email “phish”. However, instead of the now familiar email phish, vish rely on voice calls and voicemails.

A. Vishing examples

As with phishing emails, vishing voice calls take many forms. In all the forms, you will receive a time-sensitive message alerting you to impending doom. Let’s take a look at a few common vish campaigns.

1. Jail threats with the DEA or IRS

A popular vish is the Drug Enforcement Administration (DEA), calling to explain that there has been suspicious drug prescription activity or some other anomaly associated with your medical license. If you deny having any association with the fraud, the caller may demand to validate that you are actually you. They’ll need you to provide your medical license number, maybe your home address and a credit card with your name on it. Or they may demand that you pay a fine or face revocation of your license. If you don’t pay, the caller will have to immediately notify the hospitals where you have privileges. Of course, the fine can be paid by way of Western Union or MoneyGram.

Another vish is the Internal Revenue Service (IRS), calling about delinquent tax liens. In this scenario, the caller may claim to be at your address waiting for you, but of course you are at work or at another location. They may have your home address, and the caller ID will normally be spoofed to be a real government agency such as a local police station. In this scenario, the caller will give you the option of either paying the debt or being arrested. The caller may demand that you call an “agent” at another phone number to make arrangements for payment.

2. Bank, telephone, or company

Banks and other companies are also popular vish. The caller ID may actually show your bank’s number (do not believe the caller ID!). The scheme may describe how there has been suspicious activity on your account, or maybe even an upgraded card that is now available to you. The caller may have the last four digits of your account number (fairly easy to find since it is on nearly every receipt). To prove that you have the card in your hand, the caller will ask you to verify the remaining digits, or to verify your billing address, or provide the three-digit code on the back of the card. In general, just say no. If you believe the call is actually from your bank, then call the bank back on the number on the back of your card.

3. Hospital or school emergency

Another vish is the emergency call from a hospital or school. Your child, mother, or spouse has been involved in an accident, and the caller needs your permission to treat your loved one. In order to verify your identity over the phone, they’ll need some form of personal identification such as your birthdate, or your social security number, or a bank card number.

B. Vishing: Don’t be a victim

Vish are ever evolving. There is no way to know what tomorrow’s vish will be. That said, here are a few tips to help you avoid being a victim.

1. Be suspicious!

Avoid responding to phone calls unless you know the caller and understand the implications. Research the caller’s identity. If you call the caller back, avoid using the contact information provided by the caller. Instead, use a known valid number if at all possible, such as the number on your bankcard, or a known contact number for the government agency from which the caller is claiming association.

Do not go to websites the caller provides since the website may be infected with malware. Instead, go to the official websites that you know are valid and use the official phone numbers available to you.

2. Keep secrets secret!

Often the vish is used to get “just a little more” information about you for an even bigger fraud like identity theft or creating credit cards in your name. Therefore, avoid confirming or providing personal information to the caller. Sensitive information like account numbers, Social Security Number, addresses, passwords, birthdates, and even mother’s maiden name can be used against you.

3. Maintain your personal, financial, and professional contacts!

Update your mailing addresses, phone numbers, and email addresses with important organizations. Notify your employers, banks, and legal institutions when personal contact information changes.

4. If you think you are a victim?

Report the situation to affected parties. Contact your leader if you have been vished at work or if the vish regards a work related context such as your medical license. Contact your bank if your financial accounts are compromised. Change all passwords for accounts that are compromised. Watch for signs of identity theft. Consider reporting the phone call to the police if you feel physically threatened.

5. Most of all, be alert!

Social engineering attacks take many forms, and not all forms are easy to spot. Technology safeguards alone cannot protect you. You must be able to outsmart “the bad guy”. Look for signs of trouble, question everything, and ask probing questions instead of answering them.

Remember, security starts with you.

C. The Trojan horse

A little cuddly teddy bear might be a vicious ransomware instead
Sometimes all that glitters is not gold. A little cuddly teddy bear might be vicious ransomware instead

Social Engineering is a confidence fraud and takes many forms. A classic social engineering swindle happened during the Trojan War. As the story goes, after ten years in an exhausting and unsuccessful siege against Troy, the Greek army packed their bags and set sail leaving an enormous wooden horse to the Trojans – a gift seemingly to say, “We lose, you win”.

The Trojans wheeled their new bounty into the gates and celebrated their victory with food, drink, and glad hearts! Only, this horse was not a gift. Greek warriors filled the horse, warriors who waited patiently until the Trojans fell asleep. The warriors then violently took over the city.

Today, Trojan software is a particular class of malware that tricks users by appearing to perform legitimate operations while actually doing something nefarious. In the world of vishing, the Trojan caller is the caller masquerading their identity as the bank, IRS, or hospital; when in fact, the caller is really part of a scam. Note to self: Do not fall prey to the deceptive Trojan horse!

Leave a comment