What is vishing?
When phishing is done by phone, it is called vishing. How do you recognise it and how best to deal with it?
While phishing as a whole relies heavily on a phenomenon that we describe as 'social engineering', this is even more of a factor for vishing (a contraction of voice and phishing).
How does vishing work?
It usually works like this: you enter your personal information on a website after clicking on a malicious link. Perhaps you did so because the message you received convinced you that there was a problem with one of your accounts, or perhaps it was an overdue invoice?
After entering your details, you receive a call from someone pretending to be from (for example) your bank, saying that there is suspicious activity happening on your account. They will then try to convince you to outwit any possible hackers by suggesting to move your money 'temporarily' to their 'safe account'. In reality, this is vishing and you are moving your money to accounts that the real bank can no longer touch.
Sometimes you will be called without having entered any data yourself first. In that case, they take advantage of a previous data leak from a website where you have an account. Or they try to convince you by telling you that you will receive a parcel, but that there are customs fees to be paid first.
How can you recognise vishing?
You can recognise vishing in much the same way as phishing: you will notice that they want you to take action. They will put pressure on you by saying it is urgent. Often the timing of the phone call is suspicious as well: usually you will get someone on the phone within 24 hours after you filled in your details - sometimes even within the hour.
Bear in mind that a bank will never ask you for your log-in codes, that service providers will address you with your customer number, but that you are always the one who has to carry out the suggested actions.
How do you prevent vishing?
Vishing is often successful because the person trying to phish you will contact you with information you would not expect an impersonator to have. If you entered your details on a fake login page in the previous step, then you have obviously just given them to the attacker. When they call you, they speak from a position of power and trust.
Bear in mind that a bank will never ask you for your log-in codes, that service providers will address you with your customer number, but that you are always the one who has to carry out the suggested actions. Therefore, always think carefully about what is being asked of you, dare to be critical and, if necessary, get involved - if you call the official number of the service yourself, you can be sure that everything is legitimate.