Vishing

WHAT IS VISHING?

In a vishing attempt, fraudsters call their victims or leave a voicemail purporting to represent reputable organizations with the goal of eliciting personal information from the recipient. Vishing typically uses social engineering to emotionally manipulate victims into making hasty decisions.

WHAT ARE COMMON CHARACTERISTICS OF A VISHING ATTACK?

• The caller claims to represent a legitimate organization such as a bank, business, government office, police department, or IT organization.
• The caller typically claims to have urgent business such as a warrant for arrest, an unpaid debt, a fraudulent transaction, or a time-limited opportunity.
• The caller’s phone number can come from anywhere in the world. The caller ID for the number may also appear as private or unlisted. In some cases, the number may be a spoofed version of legitimate numbers, appearing on caller ID as the entity they claim to represent. Don’t automatically trust the caller based on their phone number or caller ID.
• The caller will use a tone of urgency to manipulate their victim into making quick, emotional decisions.
• The caller may attempt to cultivate rapport with their victim by offering help in solving a problem.
• The visher will ask for personal information such as a social security number, a credit card number, or log in credentials.

HOW CAN I PROTECT MYSELF FROM VISHING ATTACKS?

• Don’t answer calls from unknown phone numbers. Allow the caller to leave a voicemail, which you can listen to with calm skepticism.
• Independently verify the caller and their claimed business. Do not use contact information provided by the caller. Instead, use known contact information from the organization’s website or other trustworthy sources.
• Don’t hesitate to tell the caller that you need to hang up and verify the request with the organization they claim to represent. Be extra suspicious if they try to keep you on the phone. It’s okay to simply hang up on them.
• Don’t pay the caller over the phone. If they are asking for a payment, wire transfer, a gift card number, or any kind of financial information, hang up! Call the entity the caller purports to represent at a known contact number.
• Use 2FA whenever possible to add an extra layer of protection to accounts that the caller may be attempting to compromise.
• Always check to ensure you are on a secure website before entering private information. You can determine if a website is secure by looking for “https://” rather than “http://” in the web address bar, or by looking for the small lock icon in the browser address bar.
• Keep track of your data. Regularly log into your online accounts to verify that all activity is legitimate.
• Reset any account passwords that may have been compromised.
• Stay in the know. Visit the Office of Information Security Alerts page and follow us on Twitter to receive information about cybercriminal activity.

What To Do if You’re a Victim

Report vishing attempts to InfoSec@wustl.edu so our office can review the activity.