“Vishing” may sound familiar, but unless you’re a fraud investigator, you probably haven’t encountered it. Unfortunately, that could change … soon. To foil a scam that increasingly takes advantage of remote workers, learn what vishing is and how your business can prevent it from infiltrating your network.
Vishing isn’t the same as “phishing.” The latter is a type of social engineering fraud that involves email or text messages designed to trick someone into revealing sensitive personal information. Or it may target employees to gain access to worker and customer data, as well as intellectual property.
Voice vhishing (or vishing) scams, on the other hand, involve phones — rather than email or text messages. Vishing schemes often are more aggressive, elaborate and personalized than traditional phishing scams. Therefore, they can be harder to detect.
A look behind the scam
Vishing scams attacking businesses have grown as more employees have started working from home. Typically, fraudsters begin by researching employees online. Armed with such information as an employee’s name, position and duration of employment, the perpetrator poses as a member of the employer’s IT department, claiming he or she needs to install security updates on the employee’s laptop.
Believing they’re giving remote access to a coworker, victims enter their login information into a virtual private network (VPN) set up by the perpetrator. This includes any two-factor authentication or one-time passwords. It’s an honest mistake by the employee that gives the visher real-time access to the company’s actual VPN — and its proprietary information.
Turn a weakness into a strength
Most vishing schemes exploit VPN weaknesses. So if your remote workers access your network through a VPN, be sure to:
- Restrict VPN connections to managed devices only,
- Limit VPN access hours, if possible, to mitigate after-hours access,
- Use domain monitoring to track changes to the company’s domains,
- Actively scan and monitor Web applications for unauthorized access and modification, and
- Employ the principle of least privilege (which restricts access to only those privileges needed to perform essential job functions).
Consider implementing a formalized authentication process for employee-to-employee phone communications. For example, you might require a second factor to authenticate the phone call before discussing sensitive information.
Training your employees
Knowledgeable employees can also help you identify suspicious activity. So be sure to add vishing to your fraud training handbook. Contact us for help if you suspect fraud has attacked your business.
© 2021 Covenant CPA
Despite the National Do Not Call registry and features such as caller ID, phone fraud is thriving in the mobile phone era. Using spoofed numbers — which appear to be connected to legitimate government offices and businesses or that resemble your own number — fraud perpetrators say anything and everything to try to steal your money.
Recently, scammers have posed as Social Security officials to steal from unsuspecting consumers. Since January 2018, the Federal Trade Commission has received more than 63,000 reports about this scam. Only 3% of reporting call recipients lost money, but the losses total $16.6 million.
Anatomy of a crime
Here’s how the Social Security scheme works: Criminals call from spoofed phone numbers and tell consumers that their Social Security number has been linked to a crime and has been “suspended.” The callers claim that the consumer’s bank accounts will be seized by the government unless they withdraw money and transfer the amount to gift cards. While the thief remains on the line, the consumer purchases the gift cards. Then the caller asks for the gift card numbers and PINs, supposedly for “safekeeping.” With that information, the fraudster uses the cards or sells them on the black market.
The same callers also usually ask consumers for their Social Security number for confirmation purposes. With this critical piece of personal information, crooks can steal someone’s identity.
Truth of the matter
The truth is that the Social Security Administration doesn’t suspend Social Security numbers, nor does it ask people for their numbers over the phone. And no government entity would ask for payment in gift cards. Criminals hope that you aren’t aware of these facts. They also use fear — of arrest, loss of savings and, in some cases, deportation — and a sense of urgency to get what they want.
Fortunately, you can avoid becoming snared in a Social Security phone scam by following some simple guidelines:
- If you don’t recognize the number appearing on your caller ID, don’t answer the phone.
- Install a spam call blocker (available in mobile app stores) and use it for any calls that seem suspicious.
- If you inadvertently answer a spam call, hang up immediately.
- Never provide personal information, including bank account or Social Security numbers, to anyone over the phone.
- Report suspicious calls to ftccomplaintassistant.gov.
Businesses beware, too
Note that it’s not just consumers who might fall victim to phone fraud schemes. Fraudsters also target businesses to secure sensitive information such as bank account numbers, routing numbers and passwords. If you’re a business owner, educate employees about phone scams and implement fraud controls. Contact us for more information at 205-345-9898 and email@example.com.
© 2019 Covenant CPA