Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
Camp BGen Rafael T Crame, Quezon City
ACG-CYBER SECURITY BULLETIN NR 165: BEWARE OF “Vishing Scam”
Reference Number: ACG-CSB 050219165
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
Vishing is a socially engineered technique used for stealing information or money from consumers using the telephone network. The term comes from combining "voice" with "phishing," which are online scams that persuades people to give personal information.
Voice phishing (vishing) scams use voice solicitation to get information or money from consumers or businesses. The scammer calls the victim and attempts to use social engineering techniques to trick the victim into doing something, often to give credit or debit card details or send money.
Sending email spam and SMS spam is very easy and costs almost nothing. Calling an intended victim personally, on the other hand, takes more time and effort. For that reason, people are less accustomed to vishing and the stakes are often much higher in order to justify the scammer’s time.
The potential victim receives a message, often generated by speech synthesis, indicating that suspicious activity has taken place in a credit card account, bank account, mortgage account or other financial service in their name. The victim is told to call a specific telephone number and provide information to "verify identity" or to "ensure that fraud does not occur." If the attack is carried out by telephone, caller ID spoofing can cause the victim's set to indicate a legitimate source, such as a bank or a government agency.
Individuals and their personal finances are not the only targets of vishing. Social engineers can use vishing to build relationships with key employees and take advantage of the human tendency to be open and helpful in order to steal data, access confidential networks, and run other scams.
Vishing is often just one element in a Business Email Compromise (BEC) attack. BEC attacks often begin with gathering of information through online searches, vishing and phishing. A social engineer can lure unsuspecting employees into giving out seemingly innocuous information, such as details about the structures of the organization or travel plan of the executives. This information could then be used to impersonate a superior and convince an employee to wire funds to a fraudulent account or divulge access credentials.
These types of vishing attacks could be under reported because people do not necessarily know when they have been vished. It is not always easy to see the connection between giving out seemingly harmless information and a larger BEC attack. Furthermore, like many legitimate customer services, vishing scams are often outsourced from other countries, which may render sovereign law enforcement powerless.
Consumers can protect themselves by suspecting any unsolicited message that suggests that they are targets of illegal activity, no matter what the medium or apparent source. Rather than calling a given number in any unsolicited message, a consumer should directly call the institution named, using a number that is known to be valid, to verify all recent activity and to ensure that the account information has not been tampered.
The public are advised to follow these tips in order to understand the risks and prevent being victimized by Vishing attacks, to wit:
- Think before you speak. Scammers want you to act and give out information;
- Be aware that caller IDs can be easily spoofed by scammers;
- Verify phone numbers before calling back;
- Use a different phone to call back;
- Never divulge or share any sensitive information over the phone; and
- Block automated calls.
For additional information, please refer to the following websites:
POINT OF CONTACT