The way humans communicate with each other has changed drastically in the last century. For hundreds of years, the postal system was our main method of communication. Then came the invention of the public phone box in the 1920s, before landlines became a common feature of the majority of UK homes in the 1950s. 1971 saw the invention of email and a couple of years later, mobile phones were used to take personal, as well as business, calls. By the 2000s, most people had an email address and mobile phone, with massive technological advancements in recent years leading to video calling and instant messaging.

Having multiple ways to communicate is important for staying in touch with friends and family — especially those who might live in another country. On the other hand, this means we are opening ourselves up more to fraud.

Criminals can now reach us in a multitude of ways to try to steal our personal and financial information. Because of this, we are often warned about scam artists and fraudsters — which means you’ve likely come across the term “vishing attack”. 

But what are vishing attacks? And how can we protect ourselves against them? In this article, we’ll reveal all.

Vishing is when a scammer calls you on a mobile or landline phone and tries to get you to reveal your personal or financial information. 

Usually, the fraudster will pretend to be from a legitimate organisation urging immediate action in order to acquire sensitive information like bank details, passwords or login information to gain access to your accounts.

Vishing vs phishing vs smishing

Vishing, phishing and smishing are all types of identity fraud. The only difference between them is which method the scammer uses to contact you: Email, phone or text.

Phishing attacks are done over email, vishing — or “voice” phishing — takes place over the phone and smishing — or “SMS” phishing — is carried out via text message.

How does vishing work?

A vishing scam usually starts with a phishing email, whereby the scammer attempts to get the victim’s phone number.

Once they’ve obtained a phone number, they will call the victim and pose as a trusted organisation, such as a bank, HMRC, a service provider or the police. And it is likely the victim will be more trusting of the call if they have already been tricked by a phishing email. They will use persuasive, urgent or threatening language to get the victim to hand over their information quickly and without thinking first.

Depending on the information they’ve managed to steal, the scammer will then be able to withdraw money from the victim’s bank account, make unauthorised payments or commit identity fraud. In some cases, the scammer will convince the victim to transfer funds to them directly. Sophisticated scams may even prompt you to say the word “Yes” while recording the call, in order to impersonate you to authorise payments or access your voice-automated accounts.

If a victim doesn’t answer the phone call, the fraudster may leave an urgent voicemail asking the recipient to call back as soon as possible. Often, these voicemails will threaten the victim with the termination of their accounts, fines or even arrest.

Types of vishing attacks

Cybercriminals are using increasingly sophisticated methods to trick people into handing over their sensitive data. This means vishing attacks aren’t always easy to spot. With that in mind, it’s useful to be aware of some common vishing scams:

HMRC scams

A caller pretending to be from HMRC will claim you owe tax or say there’s an issue with a tax refund and ask you to verify your personal information. HMRC will never ask you for this information over the phone, but if you are concerned, hang up the phone and contact HMRC on 0300 200 3300 to find out if there really is an issue.

Bank scams

You’ll receive a call from a scammer who tells you they’re calling on behalf of your bank. They’ll say there’s been an issue with a payment you’ve made or that there’s been unusual activity on your account and ask you for private information — like your login details, card numbers or address — or ask you to make the payment again. Like HMRC, banks won’t ask you to provide this information over the phone, so again, you should hang up and call your financial institution to check that everything is OK.

Lender scams

A scammer will call you with an offer that’s too good to be true, such as a quick fix to pay off all your debt or a small investment that can earn you millions. They may tell you that the offer will expire, so you need to act quickly and pay a small fee to secure it. As tempting as it might sound, a legitimate lender wouldn’t randomly call you with an offer like this.

Competition scams

You’ll answer a call from someone saying you’ve won a prize. They’ll ask for your personal details because they say they need them in order to process the prize and ensure you receive it as soon as possible.

Compensation scams

A fraudster will phone you offering compensation for a recent accident you’ve been in. While legitimate compensation companies do make cold calls, if you’ve been in an accident and wish to make a claim, it is always best to initiate contact yourself.

Tech support scams

A caller claiming to be tech support for a company like Microsoft or Virgin Media will say they’ve noticed unusual activity on your account or your computer has been infected with a virus. They will then ask you to confirm your account details or offer to fix the virus by providing you with anti-virus software that installs malware on your computer.

Techniques used in vishing

Unfortunately, as technology evolves, cybercriminals have more ways to trick people into disclosing their sensitive information or parting with their money.

Here are some examples of some of the techniques scammers are known to use:

  • Caller ID spoofing — Vishing scammers can create fake caller ID profiles to make multiple phone calls from a number that seems legitimate. Scammers will sometimes use a number with the same area code, as they know people are more likely to answer calls from local numbers. Alternatively, they will list their number as “Unknown”.
  • Wardialing — Cybercriminals can also use software to call numbers in certain areas and play an automated message urging recipients to provide their personal details and financial information in order to verify their accounts.
  • VoIP — Like caller ID spoofing, scammers can use voice over internet protocol (VoIP) technology to make hundreds of calls at once from a number that appears to belong to a trusted organisation, such as a bank, a government department or the police.

How are vishing targets identified?

As stated earlier, vishing attacks often start with an email that asks the recipient to disclose their phone number. 

Another common way that vishing scammers identify their targets is by digging through the rubbish bins of banks and office buildings to look for contact information on documents that have been thrown away.

How to protect yourself from vishing attacks

As well as being aware of common vishing scams and staying up to date on the latest guidance, there are some measures you can take to protect yourself:

Don’t answer

If you receive a call from a number you don’t recognise, don’t answer. If it’s important, the caller will leave a voicemail, and you can call them back on the organisation’s official number. Bear in mind that scammers sometimes do leave voicemail messages, so don’t call back on the number they’ve given you.

Hang up

If you’ve answered a phone call from someone claiming to be from a particular organisation and you experience any of the following, it may well be a vishing attack, and you should hang up immediately:

  • An urgent or threatening tone
  • You weren’t expecting the phone call
  • A request for sensitive information

Don’t share your information

Remember that banks and building societies, government departments like HMRC and utility providers will never ask you to disclose sensitive information over the phone. You should also be suspicious of requests to modify your login details and other account settings.

List your number as ex-directory

You can list your number as ex-directory to prevent it from appearing in online and physical phone books, which means scammers won’t have easy access to your contact details.

Don’t respond to prompts

Ignore prompts in automated messages that ask you to press buttons or respond to questions. If you do, you will be confirming that the number is in use and will open yourself up to more scam calls. Additionally, as mentioned, some scams will record your voice and use the recording to impersonate you on a voice-automated phone call that’s tied to one of your accounts.

Do some research

Type the details of the call into a search engine to see whether anyone else has reported it as a scam.

What to do if you have been the target of a vishing attack

Anyone can fall victim to a vishing attack. Cybercriminals are often extremely convincing and are constantly coming up with new ways to trick people.

If you are the unfortunate victim of a vishing attack, there are three things you should do:

  1. Keep your information safe by immediately cancelling or freezing the account that’s been compromised
  2. Report the scam to the police or the organisation the scammer claims to be from
  3. Report the scam to the fraud and crime reporting body ActionFraud

Conclusion

Vishing is when a scammer calls you and tries to get you to reveal your personal or financial information. Usually, the fraudster will pretend to be from a legitimate organisation — such as a bank, HMRC, a service provider or the police — and they will use persuasive, urgent or threatening language to trick you into handing over your information quickly and without thinking first. Depending on the information they’ve obtained, the scammer will then be able to withdraw money from your bank account, make unauthorised payments or commit identity fraud. Sometimes, scammers will convince victims to transfer funds to them directly.

There are various types of vishing attacks, with scammers using techniques like caller ID spoofing, wardialing and VoIP to try to trick you. However, you can protect yourself by being aware of common vishing scams, staying up to date on the latest guidance, not answering calls from unknown numbers, hanging up if the call seems suspicious, never sharing sensitive information over the phone, listing your number as ex-directory, not responding to prompts and typing the details of the call into a search engine to confirm whether it is a scam.

If you do fall victim to a vishing attack, cancel or freeze the compromised account immediately and report the scam to the police, the organisation the scammer claims to be from and ActionFraud.