How to protect your telephone network from vishing (phone scams)

Telecommunications networks will always be targets of malicious attacks. One of the most vulnerable components of a telephony network may not be the technology, but people. Rather than targeting the phone system or data network, many attackers focus their fraudulent activities on the users themselves. In this article, we take a look at some of the most common telephony scams out there today, so you can be aware of them and do your part to protect your employees and your company from them.

Telephone scams are more prevalent than you may think

According to the Federal Trade Commission (FTC), for 74% of the 647,000 reported fraud cases in 2019, contact by telephone was the initial method of communication used by scammers. Only 5% of those people reported losing money to the scammers, but that 5% reported a collective loss of $493 million. Keep in mind that these are only the cases that have been reported to the FTC.

In previous articles, we looked at attacks on telephone networks involving denial-of-service and toll fraud. These are attacks that focus their assaults on the technology and take advantage of the telephony infrastructure to either disable it, to financially harm the owner of the network, or to leverage the network for their own financial gain. Here, we look at scams where the fraudsters target the users answering the phones.

Their tactics can take many forms, but most often involve scammers calling unsuspecting victims and impersonating a trustworthy institution, or even a loved one. The purpose is to deceive the victim and convince them to either provide personal or financial information, divulge usernames and passwords to particular services, or even allow remote access to a personal computer or smartphone.

The term used to describe such activities is voice phishing, or vishing, and is defined as “a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward."

How telephone scams are carried out

Scammers will usually recruit telephone agents, the actual people that converse with the victims, who may or may not know the full extent of the fraud that is being committed. Such scams are typically executed at random, with what is known as a robocaller, a device that will dial numbers within a region sequentially and connect any successfully answered calls to the scammer’s telephone agents. The agents are usually given a script to follow, depending on the type of voice phishing being carried out. Typical scenarios include:

• Financial institutions – A scammer will claim they are calling from an officially recognized bank and that they are offering loans with 0% interest, lowering of student loans, or will inform the victim of a problem with their current credit cards.
• Microsoft tech support – A scammer will claim they are calling from Microsoft tech support and that they have detected a virus on the victim’s PC. The victim is duped into either providing the scammer with credentials to their Microsoft account, or into installing a program on their computer that will give remote access to the scammer, thus compromising the PC. Once a PC is compromised, scammers can obtain personal information, banking information, record online activities, and can use any and all of this to harm and even blackmail the user.
• Extortion of money – Victims will be called, supposedly from the IRS, and unpaid taxes will be demanded of them, with threats of arrest or deportation if they don’t comply.
• Impersonating loved ones – There have been many cases where scammers will impersonate a sobbing young person, stating they were in a car accident, or have been arrested and require several thousand dollars immediately. This is done in the hope that the victim is a parent or a grandparent with a child or grandchild that fits this situation, while at the same time making it difficult for the victim to recognize the voice on the line.
• Telemarketing scams – Often, scammers will masquerade as telemarketing agents. They may offer the sale of goods or investments that, when paid for, are either worthless or never delivered. Sometimes donations are requested for charities that don’t exist, or fake prizes like vacations are “offered” as a pretense to obtain personal information.
• Scams targeting businesses – These scams can involve calling businesses and asking unsuspecting victims for the model numbers of various pieces of office equipment, such as photocopiers, fax machines, and computers. Scammers will send unsolicited shipments of supplies and parts for these machines and then bill these items at very high prices, obligating the companies to pay.

These descriptions are just some of the most common voice phishing scams that have been reported. Of course, there are many permutations of these that have been attempted, and as time goes on, scammers, their methods, and the technologies they use become increasingly sophisticated.

Prosecuting offenders

Landline telephone services have traditionally been trustworthy because they required physical termination in particular locations. A phone number could be associated with a physical address and the name of an individual or a business. Nowadays, however, scammers employing vishing use VoIP features such as caller ID spoofing and computer-generated interactive voice response to make it more difficult for legal authorities to monitor, trace, or block their activities.

How to protect yourself, your employees, and your business

The most important protection against telephone scams is training. Make sure you, your loved ones, and your employees are aware of these scamming methods and teach them how to deal with these situations.

Scammers will attempt to make the call believable by providing some accurate personal information, such as the victim’s name, address, and phone number. Although this adds an air of legitimacy to the call, this information is readily available from any online directory and should not be considered enough to convince you.

The most important thing to do is verify the authenticity of the caller. Even if they sound legitimate, make sure you check the following:

• Ensure that the name and the caller ID you see are correct. A quick search of the number calling you using your favorite search engine should be enough to verify it. This check alone is insufficient, as caller IDs can be spoofed, but it is an important first step.
• Be honest. If you suspect a telephony scam, tell the caller that you want to verify their authenticity. If they are genuine, they will be more than happy to oblige.
• Ask questions. Depending on the alleged caller, ask them questions to verify their legitimacy by providing information that only you would know, such as:
  1. “What’s my name and account number?”
  2. “What products or services have I purchased from you in the past?”
  3. “What is my current balance? How many tax/loan payments do I currently owe based on your records?”
  4. “How did you obtain my contact information?”
  5. “Can you provide me information that will verify your authenticity?”
• Establish a password or passphrase with your family members, so that in the event of a real emergency, they can use this to ensure that it is indeed your loved one calling for help. Or, ask a question that only this person could answer, to verify their identity before deciding to respond or to send any money.

Ultimately, if you are suspicious and ask enough questions, scammers will eventually hang up to find a more gullible victim. Legitimate callers will not.

Conclusion

Telephone scams can be an expensive and traumatic experience for victims. For this reason, simply spending the time to raise awareness of these scams and to train your employees to deal with suspicious callers can go a long way towards mitigating them, ultimately minimizing the harm they cause.

You may also like:

How to protect your business against toll fraud

How to protect against TDoS attacks

How to hack-proof your VoIP network