Please confirm your identity – what is your account number?

Feb 03, 2015


You’re watching TV at home and the phone rings…

“Hello, this is Bob from Microsoft. How are you today? We’re investigating a large number of Windows problems that have been happening lately. Would you mind if I help you see if your system is affected?”

If you follow Bob’s directions, you’ll likely be looking at a Windows event or system log that appears to be full of errors. Bob, being the helpful Microsoft employee that he clearly is, will now offer to ‘fix’ your system for a nominal fee if you grant him remote access. What do you do?

This scenario is just one example of an ongoing and ever increasing wave of ‘vishing’ scams. Vishing, derived from ‘voice’ and ‘phishing’, is the phone version of phishing and is a social engineering attack aimed at gaining access to private/personal data, mainly for financial gain. Vishing operators use an array of attack vectors ranging from simple information disclosure, to the request for an email address, to remote system access and in some cases even payment details directly over the phone. Although anyone could receive these calls, older people are often specifically targeted more as they are less likely to understand the technology and can be more easily socially engineered. Successful attacks have resulted in the loss of thousands of pounds, and in worse cases, life savings
Living in a digital and technological age, the assertive and naturally cautious among you are likely thinking “I wouldn’t ever get caught out by that!”, however as society, technology and human interaction evolve, so too does the mind set and psychology of the perpetrator. Phone systems utilising VoIP technology can be manipulated further, facilitating caller ID spoofing and more advanced features that simultaneously shroud the attacker, and add a layer of trust for the victim.
So how can we identify what’s real and what isn’t? In 2014, £23.9m of losses were attributed to vishing scams, up from £7m in 2013[1]. As with most cyber problems, all is not lost and there are some things that you can look (or listen) out for in order to reduce your chances of becoming a statistic:

• request for personal/financial information – it’s likely that the caller will ask for varying degrees of information, often under the pretext of an issue, e.g. a call from a bank may use an overdrawn account, or potential card misuse. Never provide any personal or financial information at their request or to prove your identity
• do not rely on caller ID – there are numerous ways to block or spoof the incoming phone number/name. This should not be used as the basis for any assumption about the caller’s identity
• do not ask them to confirm details about you – some may think that by asking the caller to provide you with your address/account number/secret passphrase etc, as means of confirming their identity provides a guarantee of authenticity. A vishing caller may have much of your information in advance and could therefore provide you with a false sense of security by disproving your suspicions
• do not press keys responding to automated instructions – Many calls start with an automated message, prompting the user to ‘press 1′ to speak to someone. Whether the call continued or whether it cut off, by simply pressing a button you confirm to the caller that it is an active line owned by someone willing to pick up the phone, which may result in your number being added to further call lists
• do not call back immediately – If you hang up to call the company in question directly, don’t do it immediately. Scammers are often able to keep the line open for short periods of time after you put the phone down, meaning after picking up the receiver again you could be talking to the same person. To be sure this doesn’t happen, call a number you know well to ensure the line isn’t being kept open. Failing that you can use a different phone.

Many phone companies have mechanisms in place to shield you from anonymous/suspicious calls as much as possible but these are only deterrents. Never feel pressured or obliged to provide anyone caller with any information about yourself, and you can report these calls to Action Fraud (http://www.actionfraud.police.uk). With a little awareness and assertiveness, and keeping the above advice in mind, the chances of you becoming an unfortunate statistic will be dramatically reduced.