Sounds Phishy – The Rise of Vishing Scams

Broad awareness has been made about cyberattacks in the form of phishing that typically use email messages to lure victims into divulging sensitive information or opening a link that allows malware to infiltrate their device. Companies have learned how to combat phishing by training employees to recognize such scam attempts and report them as phishing to protect their organizations. “Vishing” is another tactic used by scammers that, while less familiar, is no less invasive and dangerous.

Vishing, a term that comes from the combination of the words “voice” and “phishing,” tricks victims into providing personal information over the phone. Vishing scams convince victims to provide passwords, social security numbers, bank account information and other personal data to callers pretending to represent an organization that requires sensitive information, such as a governmental authority or the victim’s financial institution or utility company.

In order to appear as if they are legitimate, vishing scammers use local area codes and text message prompts to cover their tracks. Oftentimes a vishing attempt will try to persuade the victim to act quickly in response to a (falsely) urgent situation such as a lost child, medical emergency, or once-in-a-lifetime opportunity. These attempts can target hundreds of phone numbers at once, casting a wide net of potential victims, including employees that could provide unintended access to corporate computer systems…

New dictionary words have been formed to describe online scams. Phishing, one that everyone knows by now, is when a scammer uses a pretext in an email to get someone to click on a link or attachment in the email to deploy malicious malware and ransomware.

Social engineering is when criminals conduct online search of individuals and companies by looking at Facebook and LinkedIn profiles and through Google searches to find out as much as possible about a company and its employees and develop a dossier on the company to launch a phishing, vishing or smishing scam.

Vishing can occur, for example, when a criminal buys a similar domain to a company domain, then adds some security terms to make it look like they are from the IT department of the company and calls an employee, tells them a story about how they need to update the VPN or add additional security measures, sends the employee an email from the fake company email address and while they are on the phone with the employee, convinces the employee to put their user name and password into the pop-up, now allowing the criminal full access to the employee’s account.

And smishing (it’s so new that spell check doesn’t recognize it) is when the scammers use a text (SMS messaging) as the ruse instead of an email or a telephone call.

People tend to trust text messages more than emails. They also read them more frequently and faster than emails. Scammers are using old techniques with new technology to get people to click on embedded links to introduce malicious malware into individuals’ phones or to give up personal or corporate credentials. Now the scam is using text messages.

This should be concerning for IT professionals since so many employees use their personal phones for work. Even though the employees are being targeted on their personal phones, the smishing scams can be a threat to corporate security. IT professionals may wish to add smishing as a technique when providing security training to employees so they are aware of the latest techniques used by criminals.

December 20, 2018

On December 14, the Florida Attorney General (AG) and the Federal Trade Commission (FTC) announceda $23 million federal district court judgment against the owner of an Orlando-based “robocall” operation.  The massive robocall operation tricked consumers into paying upfront fees of $500 to $1500 for false credit card interest-rate-reduction and debt-elimination services, allegedly causing $23 million in consumer harm.

The settlement follows litigation filed in June 2016 alleging that the owner and 19 other defendants operated an illegal robocall scheme in violation of the FTC Act, 15 U.S.C. § 53(b), the FTC’s Telemarketing Sales Rule, 15 U.S.C. § 45(a), and the Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101-6108.  The Orlando federal district court judge temporarily enjoined the operation in 2016.  Settlements with the remaining 19 defendants are pending court approval…

July 25, 2017

The Federal Communications Commission (FCC) marked another step in its effort to curtail illegal robocalls. During its recent Open Meeting, the FCC approved Notices of Inquiry (NOIs) into Call Authentication methods and into Advanced Methods to Target Unlawful Robocalls that, respectively, seek input on efforts to institute a caller ID-based “Trust Anchor,” and to develop a re-assigned numbers database.

Opening comments to the NOIs are due on August, 14, 2017 and August 28, 2017, respectively, with each having a 30-day deadline for replies. In addition to issuing the NOIs, the FCC also approved a forfeiture order against Dialing Services, LLC, marking the first time that the FCC has imposed liability against a telemarketing platform rather than a calling entity…

June 27, 2017

On June 22, 2017, the Federal Communications Commission (FCC or Commission) issued a first-of-its-kind Notice of Apparent Liability (NAL) alleging that Adrian Abramovich, through numerous companies that he owned or operated, violated the Truth in Caller ID Act by placing more than 95 million robocalls to consumers while “knowingly causing the display of inaccurate caller ID information.”  The NAL proposes fines totaling $120 million, and seeks to hold Mr. Abramovich personally liable for the full amount.  Separately, the Commission released a citation against Mr. Abramovich on the same day for alleged violations of the Telephone Consumer Protection Act and the federal wire fraud statute…