How to recognize and avoid Vishing & Caller ID Spoofing

Voice phishing or Vishing tax scams have increased by 20x since 2017. If you’re interested in learning how to steer clear of this type of fraud, we encourage you to check out these helpful resources below.


What is Vishing?

Vishing is a form of phishing scam done through a phone call. In a vishing attack, a scammer preys on human error by phoning their victims and attempting to get them to disclose personally identifiable information (PII) or sensitive financial information, or both. The word “vishing” comes from “voice” and “phishing,” which suggests that a fraudster is dangling a hook or a lure to get unsuspecting victims to reveal usernames, passwords, credit card details, or download malware onto their devices.

Vishing, a phone scam

Originally, phishing attacks were mostly confined to phony emails from what appear to be a trusted source. The emails are cleverly designed to lure unsuspecting folks into clicking a link and entering the data on an illicit website. The phishing lexicon has expanded to include smishing, which uses fraudulent text messaging, and pharming, which is phishing using fake websites without the email hook.


Vishing Scams are a Real Hang-Up

Phishing accounts for an astonishing 90% of data breaches. The FBI lists the three subgroups of phishing — vishing, smishing, and pharming — as the most prevalent threat in the U.S. in 2020, with more than 240,000 victims. And in March of that year, when the first peak of the pandemic was being felt around the world, these scams thrived and phishing emails spiked 667% globally.

The reason vishing is so successful is that it exploits the subconscious side of human nature. Vishing is a form of social engineering — that is, the criminal uses specific or “vague enough to be real” details about the victim to get them to believe the scam caller is authentic and should be trusted.

Vishing is not easily detectable through caller ID. By spoofing a legitimate phone number, voice phishing scammers lead you to believe the call is real. Vishing calls may come from a blocked number or a fake or spoofed phone number used to impersonate a legitimate person or organization. Fraudsters also use robocalls to carry out vishing schemes on a larger scale. 

No matter what form the phishing attack takes, social engineering thrives in times of uncertainty.


How does Vishing work?

The person or robot placing the phone call uses a sense of urgency or the guise of an emergency to ask you questions confirming your identity or personal details, then they ask for even more information. Many of these vishing ploys used the urgency of the COVID-19 pandemic and consumers’ thirst for information (for example, free testing sites, vaccine signups, or trials) to set up phone-based credential scraping or malware-droppers through malicious websites designed to look professional, credible, and mobile-responsive. Many of these sites use branding from the Centers for Disease Control (CDC) or other health and government authorities.

The catalyst may not always be negative situations: sometimes the urgency comes from the excitement of potentially winning money, gifts, or trips. Unfortunately, it’s all fake when it comes to vishing scams. The scammer really wants your personally identifiable information (PII), financial account details, medical information, or other sensitive data. And they want you to give it to them over the phone quickly before you have time to realize it’s a scam.


How Spoofers often stay a step ahead of their Victims

It’s easy to see how the mechanics of these calls can be deceiving. In a spoofing call, the perpetrators use simple application software installed on their cell phone or laptop that allows them to make outgoing calls appear to be coming from a legitimate source. 

Verizon offers these common examples of spoofing

  • Receiving calls from a friend or spouse’s phone number when your friend/spouse is with you and is not calling you 
  • Robocalls received from a phone number similar to your own 
  • Calls from your bank’s phone number asking for personal information (account numbers, account PINs, etc.) 
  • Caller ID displays “911 Emergency” rather than the actual phone number of the calling party 

Spoofers can enter the phone number for the FBI, local Police Department or bank branch — even public charities such as the American Red Cross — and that number will appear on your phone’s caller ID. Even victims who call the caller back will get a legitimate recorded message from that agency or institution. 

Unfortunately, widely available digital communications technology has made phone spoofing cost-effective for scammers. For example, spoofers will use the power of automated, recorded robocalls to target a much wider audience of potential victims, and often run several different fraudulent schemes at the same time to diversify their criminal activity. They only need a relatively small number of victims to be successful. 

During the COVID-19 pandemic, spoofers have pivoted their phone call strategy, pretending to be from the IRS, Social Security Administration, offering fake coronavirus testing, and scaring small businesses into buying bogus online listing services. You can learn more about these and other types of scams on the Federal Trade Commission website, and hear these directions in some sample “scripts” published by the Federal Trade Commission

U.S. spoofing crimes affected more than 28,000 victims in 2020 alone, racking up nearly $220 million in losses, according to the FBI’s Internet Crime Complaint Center. Internet-related identity theft disproportionately impacts victims over age 60, who suffer more losses, as a group, than any other age cohort. 

The most insidious practice of spoofing con artists is using YOUR personal phone number to try to infiltrate your circle of friends, relatives, and neighbors for the purposes of stealing their identities, money, and other nefarious scams. Sadly, there currently is no legal protection against this form of deception. Fortunately, the FCC has been working with telecommunications providers to create new ways to digitally validate caller IDs (through the so-called STIR/SHAKEN authentication standards). This would greatly reduce the incidence of spoofing, and we think it would bring welcome relief to millions of Americans. 


Common Vishing tactics to listen for

  • Your Social Security number has been compromised
  • Your bank account has been red-flagged or hacked
  • You’re eligible for free COVID testing or an experimental vaccine
  • A charity is requesting a donation for disaster relief or COVID-19 support
  • A credit card charge needs to be verified
  • The IRS has discovered discrepancies in your tax return
  • Your vehicle is qualified for an extended warranty
  • Your computer has been compromised and requires tech support services
  • There is a warrant issued for your arrest
  • Your friend or family member needs money to get out of trouble
  • Your friend or family member was in an accident
  • You have won a free vacation (or sweepstakes, or lottery, or giveaway)
  • You’re eligible for a free trial or free product for something you didn’t request



How to Protect yourself from Vishing: Hang Up

The Federal Communications Commission (FCC) has issued detailed guidelines on how to protect your valuable PII from spoofing calls, spoofing emails, and phony landing pages.

Here are the critical steps we recommend that you follow: 

  1. Don’t answer calls from unknown numbers. Simply let it go to voicemail. If you do answer an incoming call that seems to be legitimate or coming from a local source but turns out to be a robocall, hang up. Although you may think there’s no harm in answering an unknown caller, your act of answering tells the attacker that your phone number is real and could put you on a list for future scam attempts.
  2. Never give out any personal info to callers. Remember, the Social Security Administration and the IRS will never call you to request personal information or make threats. They conduct official business through the U.S. mail. Banks, law enforcement, and most legitimate businesses will never call you to request sensitive information including account numbers, Social Security number, mother’s maiden name, password, or any other identifying information. Don’t be swayed by implied or overt urgency — hang up if you’re asked for PII. 
  3. Verify any sensitive information request by calling a known number. If you receive a phone call from an unknown number or a familiar name you weren’t expecting a call from, do not share any sensitive or personal information — not even your date of birth. Especially if the caller requests ANY information from you to confirm who you are before proceeding with the call. Scammers want you to react and divulge your information. The person on the end of the line may sound sincere and trustworthy, but that doesn’t mean they’re legitimate. If you get an inquiry from someone who says they represent a government agency, company, or non-profit organization, hang up and call the phone number on your account statement or on the company’s or government agency’s website to verify its authenticity. Calling the number back will only reconnect you with the scammer. Look up the correct number yourself through an organization’s website or phone directory, or call the number listed on your bank or account statement or the number on the back of your credit card.


What do I do if my information is stolen in a Vishing scam?

When victims are tricked into sharing their name, date of birth, Social Security number, bank account details, and other sensitive information, fraudsters are equipped to commit credit card fraudaccount takeovers, and identity theft using that information.

If you have shared your personal information, bank account, or credit card number in what you suspect was a vishing scam, report the call to your financial institution and government agencies. Several agencies are working to reduce fraud and capture scammers, including the Internet Crime Complaint Center (IC3), the Federal Trade Commission (FTC), and the Better Business Bureau (BBB).


Vishing Lures are Breaking

Finally, there is some good news to report. As of June 30, 2021, FCC rules require telecommunications providers to implement STIR/SHAKEN authentication standards in the Internet Protocol (IP) portions of their networks so that “Americans can benefit from this important technology and start to have faith in their phones again.” These processes significantly reduce the ability of vishing scammers to spoof legitimate names and phone numbers, giving them one less way to fool you into exposing your personal and financial information.

The new rules have teeth. The FCC fined a telemarketing firm a record $225 million for transmitting approximately 1 million robocalls, many of them illegally spoofed, to sell short-term limited-duration health plans (the robocalls falsely claimed to represent well-known health insurance companies.


Get the Best Identity Theft Protection today

If you think you’ve been victimized by a vishing scam or any other type of scam, we can help you take steps to protect your personal information. Bitdefender Identity Theft Protection can help monitor your identity and credit while providing you with the latest news and information on identity theft protection.