To understand what "Vishing" is you must first be familiar with the terms "VoIP" and "Phishing."
VoIP: VoIP (Voice over IP) is a telecommunications breakthrough enabling telephone calls over the Internet or internal corporate networks.
Phishing: Phishing is an attempt to illegally gather personal information, such as usernames, passwords or credit card details, by acting as a legitimate and trustworthy entity through internet communication. This offense is normally performed through email or instant messaging, and typically directs users to enter their data onto a website.
Vishing: The word "Vishing" is a combination of VoIP and Phishing, and marries an older form of communication (telephone) with modern technology (VoIP and internet communication). Vishing uses the trusted telephone rather than a link in an email to obtain private, personal, and financial information from those who can be easily coerced into making a phone call and divulging their personal, confidential information.
While vishing attacks can originate as an email or a telephone call, the strategy of each is basically the same. The recipient is directed to call a phone number they believe is affiliated with their financial institution or a company with whom they do business.
In a vishing attack, the phone number dialed belongs to the perpetrator's VoIP phone, which is programmed to recognize key strokes or phone tones. Typically, the recipient will hear a message asking them to enter their account number via the phone keypad to verify their identity.
A perpetrator can easily glean valuable numeric information via the telephone. Numbers are easier than letters to transmit when responding to a vishing attack. As a result, victims are likely to divulge the following:
Due to wide use of these types of data entry methods by financial institutions, most people are comfortable doing this, and feel secure entering in the numbers.
Vishing is successful and attractive to perpetrators because:
Because vishing utilizes VoIP, it is very difficult for authorities to monitor and trace. VoIP provides the ability to mask identity, location, or phone number (spoof caller ID), and provides inexpensive automated systems and anonymity for the person behind the operation. In addition, VoIP providers allow customers to select any area code and prefix, making it easy for a perpetrator to use a local area number to blanket unsuspecting victims by war dialing the vicinity, or sending mass emails. Victims who call the "local" number have no idea their call is being routed to a distant location via the Internet.
Voice recognition technologies have also reached an advanced level and are relatively inexpensive to acquire. Sophisticated vishers are not merely restricted to numeric data and can steal additional information details such as names and addresses via these additional technologies.
Once the perpetrator has gained this information, it is easy for them to perform the following acts:
Common sense is your best defense.
If you think you are a victim of vishing, contact the financial institution immediately and notify them of the issue. Additionally, you should consider contacting the Internet Crime Complaint Center (IC3) immediately at http://www.ic3.gov/complaint. The IC3 serves as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding arena of cyber crime.
The bottom line is that you should always consider and verify the source before divulging any personal information. Once you give information to a con artist, it is gone, and there is no way to get it back completely.
These helpful tips are provided by Digital Defense, Inc., a computer security company working with your bank as a responsible member of the community to help insure the privacy and security of our nation's financial information.