Some common cyber threats facing the retail industry include ransomware attacks, social engineering, system intrusions and insider threats. The retail sector is often targeted by cybercriminals
Vishing, also known as voice phishing, occurs when scammers make phone calls to trick you into sharing personal information or sending money. By impersonating legitimate companies and using social engineering tactics, scammers hope to gain your trust and persuade you to share sensitive information, which they can use to commit fraud or identity theft. According to Keepnet’s 2024 voice phishing report, approximately 70% of organizations have fallen victim to vishing, resulting in an average financial loss of $14 million annually. Vishing can affect individuals and organizations alike, so it’s important to understand how it works and ways you can protect yourself.
Continue reading to learn how vishing differs from phishing and smishing, see common examples of vishing and discover how to avoid falling victim to these attacks.
Vishing vs phishing vs smishing: What’s the difference?
Think of phishing as an umbrella term for cyber attacks that scammers use to deceive you into sharing your personal information. Phishing typically occurs via emails, where scammers send you unsolicited links or attachments as part of their attempt. Vishing and smishing fall under the umbrella of phishing because they share the same goals, but vishing occurs strictly through phone calls, while smishing occurs strictly through text messages (SMS).
How vishing works
In most cases, vishing starts with a scammer researching you to determine how to best deceive you into sharing information. They may use your email address to uncover other Personally Identifiable Information (PII), such as your phone number. With this information, a scammer can disguise their area code by changing it to match yours, tricking you into believing they’re calling from a local phone number.
When you answer a scammer’s call, they may convince you to share personal information, such as bank account numbers, credit card details or your home address. Scammers hope you will believe they are legitimate individuals or companies by building rapport through active listening, cordial conversation and thought-provoking questions. More recently, scammers have started using Artificial Intelligence (AI) to conduct vishing attacks by impersonating the voice of someone you know. AI assists scammers in convincing you that a friend, family member or coworker is calling by analyzing a person’s voice from videos, often posted on social media. With scammers using AI in vishing attacks, these scams are much harder to detect because the voices may sound authentic but are not who they claim to be.
If you believe the scammer is legitimate and share your personal information with them during the phone call, they will use that information to commit cybercrimes. Some malicious activities scammers can do with the information you provide in vishing attacks include stealing money from your bank account, making unauthorized purchases with your credit card or hacking into your email account to scam people you trust.
Examples of vishing
Here are some of the most common examples of vishing attacks you may encounter.
Fake IRS calls demanding immediate payment
A scammer may pretend to be an IRS agent, calling to notify you that you owe taxes and need to provide sensitive information to avoid legal action. Most fake IRS calls are conducted through pre-recorded messages, so you will likely not speak to a person in real time. The message may sound like: “In order to avoid legal consequences, you must provide valid payment information for the taxes you owe the IRS within 24 hours.” This vishing attack is intended to scare you into compliance and discourage questioning the legitimacy of the call by claiming it is from a government agency. However, the IRS will never contact you by phone to demand payment without first contacting you via snail mail or email with your permission. You should never provide payment information over the phone to anyone claiming to be the IRS unless you initiated the call and are certain you are speaking with a legitimate IRS agent.
Calls from your bank asking for account details
You may receive a phone call from someone claiming to be from your bank, asking you to verify your account details. Since your bank will never ask you to share your account details, including security codes or passwords, you should recognize this as a vishing attack. A scammer impersonating your bank may say something like: “We just need your bank account information to verify a suspicious charge. Can you tell us the security code to your account so we can check on this for you?” It’s safest to hang up and contact your bank directly to verify whether they need your account information. Providing personal or sensitive information over the phone to a scammer could result in your bank account being drained.
Tech support scams requesting access to your computer
In a tech support vishing attack, a scammer impersonates a representative from a technology company, such as Apple or Microsoft. When they call, the scammer claims to have found a technological issue with your computer and says they need remote access to fix it. During the call, the scammer may say something like: “We’ve found a bug on your device and need to access it to fix the problem. Can you give us your email address and current software details?” They may request your email address to send you codes or downloadable content, allowing them to gain access to your device. However, providing these codes or downloading the content can install malware on your computer, leading to stolen data and an invasion of your privacy. If you receive a phone call from a technology company you didn’t contact first, it’s best to hang up and contact the company directly to confirm whether they detected an issue with your device.
Medicare scams demanding your ID number
Another common vishing attack occurs when a scammer impersonates a Medicare representative regarding your eligibility. They may warn that your Medicare eligibility will be canceled unless you verify your identity by providing your current Medicare number. A scammer impersonating Medicare may say something like: “We are unable to verify your identity without additional information. To receive your Medicare benefits, please share your Medicare ID number.” This type of vishing attack aims to trick you into sharing your Medicare number and other personal information so the scammer can steal your benefits and identity. Do not provide your personal information to anyone claiming to be from Medicare unless you are certain the individual is legitimate or you contacted them first.
Relatives claiming they need emergency money
You may think it is easy to detect if someone is impersonating your family members, but scammers are increasingly using AI to mimic familiar voices and trick you into sharing information or money. If you receive a phone call from a relative claiming to have been in an accident and needing money immediately, try not to panic and act impulsively. Most often, these vishing attacks are in the form of grandparent scams, which typically target the elderly by impersonating grandchildren or close relatives during a catastrophic event. For example, a scammer may find your grandchild’s voice through a video on social media. They can upload that video to AI software that clones your grandchild’s voice, allowing the scammer to impersonate them convincingly. If you ever receive a phone call like this, contact the relative directly using another method, such as texting the phone number saved in your contact list.
How to protect yourself against vishing
You can protect yourself from vishing attacks by avoiding calls from unknown numbers, creating a safe word with your loved ones, refraining from sharing your personal information over the phone and making sure your accounts are secured with strong passwords.
Avoid answering calls from unknown numbers
If you receive phone calls from unfamiliar numbers, it is best not to answer them. Unknown numbers are often spam or scam callers, so avoiding unsolicited calls can help protect you from vishing attacks. Scammers may use software to alter how their phone number appears on your screen, often giving it a local area code to build trust. If a number is not saved in your contacts, it is safer to let the call go to voicemail instead of answering it.
Create a safe word with your friends and family
Since scammers are using AI to impersonate familiar voices in their vishing attacks, you should create a safe word with your friends and family. Modern vishing attacks aim to trick you into believing that the person on the other end of the phone is someone close to you, aided by AI. However, by using a safe word that only your friends and family know, you can verify the caller’s identity. If the caller does not know the safe word or gives the wrong answer, you will recognize them as a scammer.
Never give out your personal information to just anyone
Even if someone claiming to be from the IRS or another company calls to demand immediate payment or personal information, never reveal sensitive information over the phone. These calls may threaten serious consequences for not complying, such as jail time or significant fines. However, if you haven’t contacted the IRS or a legitimate company directly, there is no reason you should be receiving a call from them, so recognize these as vishing attacks.
Make sure your accounts are secured with strong passwords and MFA
An important way to protect yourself from vishing attacks and other forms of phishing is to secure your online accounts with strong passwords. Make sure that each of your accounts has a strong, unique password consisting of at least 16 characters and a combination of uppercase and lowercase letters, numbers and symbols. By securing your accounts with strong, unique passwords, you reduce the risk of a scammer guessing a weak or reused password and hacking into your accounts to steal private information.
In addition to securing your accounts with strong passwords, you should also enable Multi-Factor Authentication (MFA) if it’s available. MFA adds an extra layer of security to your accounts by requiring another form of authentication to verify your identity before gaining access. If you reveal your login credentials in a vishing attack but have MFA enabled, the scammer will be unable to access your account with just your username and password, as they will need another way to authenticate your identity. Some types of MFA include a code from an authenticator app, an answer to a security question, a PIN or your biometric information.
Listen to your gut
We understand that, no matter how much you prepare for a cyber attack, it can be difficult to emotionally prepare for the potential consequences. It is easy to panic and throw logic out the window when you realize you may be caught in a vishing attack, which is why you need to listen to your instincts. If you are talking to someone over the phone and have a suspicious feeling that they are not who they claim to be, trust your gut and hang up. It is much safer to call a company directly using a phone number listed on their official website than giving up your personal information to someone who makes you feel uneasy.
The bottom line
As AI continues to be used in cyber attacks, it’s important to know how to keep yourself safe from vishing, phishing and smishing attacks. Regardless of how a vishing attack occurs, you can protect yourself by creating a safe word with your loved ones, refraining from sharing personal information over the phone and securing your accounts with strong passwords. An easy way to secure your accounts with strong passwords is by using a password manager like Keeper®. Keeper Password Manager allows you to create, update and store your unique passwords as well as MFA methods in a secure, encrypted vault.
Start your free 30-day trial of Keeper Password Manager to protect your accounts and stay safe against vishing attacks.