Vishing stands for "voice phishing" and is a new twist on the phishing e-mails that you may have received, but now the criminals are using the phone as well to trick consumers into revealing personal information.
Vishers will send out an e-mail to thousands of people which looks like it is from a reputable organization, such as a credit card company, online retailer, bank or government agency. The e-mail may warn of a security alert and ask you to call a local or toll-free number where an automated attendant will ask you to punch in personal information, such as your credit card number, social insurance number or online banking password. After you do that you may be disconnected without speaking to anyone, but the criminals will have your information.
Security experts have seen another variation of vishing where the criminals will leave a voicemail message or make telephone calls directing people to the bogus phone number. With Voice over Internet Protocol (VoIP) and other Internet-based telephone technology, criminals can now make calls inexpensively and can mask their identity and their location and even make it look like they are calling from a legitimate company on your call display.
So, why do they do it? Usually it’s to commit some sort of financial fraud.
How to identify a vishing contact
We all get e-mails and telephone calls from legitimate companies and organizations that we do business with, but here are some things you should keep in mind as you try to figure out if you’re being contacted by the legitimate company or by a visher.
- If you are dealing with a legitimate company, they know who they are contacting and will address you by name in an e-mail or telephone call. Vishers don’t typically know who you are and don’t usually use your name.
- If a bank suspects fraudulent activity on your debit or credit card or account, they will never contact you by e-mail. If you do receive such an e-mail, do not respond and delete it.
- In some cases, your bank may contact you by phone or leave you a voicemail message if they suspect fraudulent activity. As part of a legitimate conversation with your bank, you may be asked verification questions so the bank can ensure that they are speaking to the right person. You will not, however, be asked to verbally provide any Personal Identification Number (PIN) or banking password or enter you PIN or password on your telephone keypad. As part of the verification process, your bank will never ask you for your Social Insurance Number.
- It is a wise practice not to use the phone number provided in the e-mail or in the telephone message you receive. You can validate that the call is legitimate by contacting your bank using the phone number on the back of your card, on your statement or a published number you have looked up yourself.
- As a general rule, be cautious about how and with whom you share personal or financial information.
What should you do if you think you’ve been contacted by a visher?
If you receive an e-mail or voicemail message from someone you suspect may be a visher, do not respond using the phone number provided. Instead, contact that organization at a phone number you know is accurate, appearing: on a debit/credit card or bank/credit card statement; on a bill; or published on a known, legitimate website or in a phone book, and let the organization know the details of the suspected vishing incident.
If at any time you are not comfortable with the questions you are being asked over the phone, do not respond and tell the caller you are discontinuing the call to verify it is legitimate from an independent source. No reputable organization will take issue with that. Then call the organization back on a phone number you have looked up yourself.
If you think you have provided personal information to a visher, contact the organization involved right away. If you have provided some of your banking or credit card information, contact your bank or financial institution immediately and they will advise you on what you should do. You can also call your local police department.