Our office received a report of a vishing (fraudulent phone call) attack targeting a WashU student. In the attack, the caller claimed that the student’s social security number had been associated with overseas drug-trafficking activity.
Another popular Vishing campaign involves impersonating support personnel from companies like Apple or Amazon. In this scam, the attackers call with a recorded message indicating that something may be wrong with your account. The message will suggest pressing ‘1’ to speak with someone or call back a contact number that they provide on the call.
What is Vishing?
Vishing and other forms of phishing (e.g. via e-mail or SMS) often employ fear tactics to prompt the victim to quickly supply personal information to the attacker. This strategy, generally known as “social engineering,” is commonly employed in cyberattacks. In social engineering, criminals attempt to psychologically manipulate their victims using fear and uncertainty.
How can I Protect Myself From Vishing?
If you think you are being targeted by a phishing or social engineering scam, please do not engage with your attacker by replying to their e-mail, downloading attachments, clicking on links, or supplying personal information. The best thing you can do to avoid becoming a victim of this type of scam is to treat any unsolicited contact with the highest degree of skepticism. If you ever receive a message from an organization asking you to call back at a specific number, you should find another way to obtain contact information that you can be sure is legitimate. For example, if you received a vishing or phishing message claiming to be from the Social Security Administration, you should not immediately trust the caller or the contact information they supplied. Instead, go to the official Social Security Administration website to obtain contact information.
Please be aware that cybercriminals also create fraudulent websites, so ensure that the website is genuine by looking carefully at the uniform resource locator (URL). Cybercriminals attempt to mimic genuine URLs as closely as possible, but careful examination can reveal clues that it is not genuine. For example, you might find misspellings in the web address (e.g., rather than “SSA dot gov,” the fraudulent web address might be “S5A dot gov”). In addition, look for indicators that the website is secure. A secure URL should begin with “https” rather than “http.” The “s” in “https” indicates that the website is using a secure sockets layer (SSL) certificate. Finally, look for the lock icon in the address bar on your browser (often to the left of the URL).
Unfortunately, some criminals can also use SSL certificates to produce fake websites that include ‘https’ and the lock icon. You should NEVER transmit any critical information via a website without ‘https’ and the lock icon, but that does not mean that you can trust every site that does have ‘https’ and the lock icon. Any site requesting important information should be vetted for authenticity, even when the ‘https’ and the lock icon are present.
Resources
To learn more about vishing, please read our article, “Whaling, SMiShing, and Vishing . . . Oh My” (https://informationsecurity.wustl.edu/whaling-smishing-and-vishingoh-my/), and to learn more about Social Engineering, please refer to our article, “Protect Yourself from Social Engineering” (https://informationsecurity.wustl.edu/protect-yourself-from-social-engineering/). For more information about the customer service scam often impersonating Apple or Amazon, please visit the following page on the FTC website: Fake calls from Apple and Amazon support: What you need to know | FTC Consumer Information
If you receive a phishing attempt or if you have any questions or concerns, please contact the Office of Information Security at infosec@wustl.edu or (314) 747-2955.