What is vishing?
Every year there is an increase in cases of digital fraud using social engineering techniques to deceive users, alarming them about computer risks or luring them in with offers, money or other advantages. Social engineering involves obtaining sensitive information such as bank details and passwords that enable cybercriminals to commit fraudulent activities.
Recently, numerous cases of telephone fraud have been identified and it is therefore essential to know what it is and how we can protect ourselves.
What is it?
Vishing is a type of social engineering that, like phishing and smishing, aims to obtain users' personal details or bank details; but in this case the fraud is committed over the phone, deceiving the victim by impersonating a trusted third party.
How does telephone fraud work?
Vishing calls can take many different forms, since the content of the call will vary depending on the cybercriminal's aim.
These days, we have to look out for sophisticated fraud attempts where fraudsters impersonate the bank and provide customer details in order to gain their trust and so the customer will then provide the requested information without suspecting anything is wrong. This type of sophisticated vishing combines various social engineering techniques such as Spoofing (phone spoofing, so your bank's name might appear) and OSINT (open-source intelligence)).
This is why it is very important that if you receive an unexpected call from your bank, where you are asked for sensitive data such as a password, electronic signature, confirmation code or similar information that arrives by SMS, you should be immediately suspicious. Remember that your bank will never ask you for these confidential details over the phone.
Not all vishing is so sophisticated, on other occasions fraudsters will make random calls to users impersonating any service, in order to trick as many people as possible.
A common example is the fake computer technician who calls to solve an alleged problem with your computer. The cybercriminal seeks to convince the user that in order to solve the problem, they need to install a remote access programme.
In this way, they take control of your computer and have access to your banking information. There are other variants of this technique that also affect bank customers: under the pretext of a security incident, they will try to obtain bank details.
Another technique that is becoming increasingly frequent is the impersonation of mobile phone operators, who invite users to participate in a raffle for exclusive prizes, such as the latest generation smartphones. It should be taken into account that these misleading offers are not only being received over the phone, but also through messages and online advertising.
With this type of fraud, cybercriminals use any information provided by the user to commit more sophisticated scams later on. This is why you should not provide any personal data or any type of useful information when you are called unexpectedly.
Security recommendations: how to avoid vishing or telephone scams
The first method of prevention is to be aware. Thus, you can follow some security recommendations to pre-empt cyber-attacks and keep your computers protected:
- Be suspicious if you get a call from a known company which you are not expecting. And, above all, any communications that request urgent action, such as providing your bank details.
- If you have received a call from someone claiming to be from Banco Santander and you are suspicious, contact us on 915 123 123 or via any other official channel.
- Do not provide personal information or reveal your bank details. Banco Santander never requests confidential information by e-mail, SMS or any other unsecured channel.
- Be cautious of offers that seem too good to be true, promotions or offers to refund money which you have not requested. If you have doubts about what you are being offered, contact the official bank or get in touch via their official channels.
- What should you do? Stay calm and don't follow the cybercriminal's instructions. It is best to interrupt the conversation and contact the bank or organisation to report what has happened. If you have provided your details, quickly check your accounts to see if there has been any activity.
At Banco Santander we have set up a mailbox at firstname.lastname@example.org specifically for this purpose. If you suspect that you have received a Vishing attempt or any other type of social engineering fraud, report it to this address.