A 15% rise in vishing scams between 2021 and 2022 has led to stark losses of over $39.5 billion for Americans in the most recent calendar year. The growth of this fraud threatens businesses all over the country in a financial and reputational nature.
Worse still, is that there are many fraud detection and prevention techniques to stop fraudsters – they’re just not being implemented effectively. This piece will detail the steps to take, and how you can block any effect of vishing and other types of fraud by continuously controlling payments to any suspicious or unknown third party before they’re executed, with Trustpair.
What is vishing?
Vishing stands for voice phishing. Let’s break it down:
Phishing, the umbrella term for this type of fraud, refers to a social engineering attack. Criminals impersonate genuine sources, like suppliers or agencies to extract funds or sensitive information. Phishing can be perpetrated through scam emails or text messages (smishing), but today we’re focusing on voice phishing.
Voice phishing, therefore, describes someone pretending to be a reputable organization over the phone.
It can occur with a real person on the other end of the line, but 61.1% of successful attacks actually happened with robocallers last year. It’s clear that even automated messaging emerges as a threat to organizations and their operational resilience, making it even more important for firms to fight back.
How does it work?
Here’s how voice phishing works:
- Social engineering
- High-volume attacks
- Targeted information
Vishing works because it relies on social engineering. The entire scam hinges on putting pressure on the employee being targeted, not allowing this individual to “think straight” or consider more rational possibilities. Often, this means that attackers will use deadlines or time-sensitive language to extract the information they need.
Moreover, although telephones are viewed as more secure than email, for example, the average American still receives more than three spam calls each day. With such a high volume and no automated capability to block unknown callers, it’s inevitable that at least one attempt is likely to be successful. Fraudsters taking the “spray and pray” attempt rely on this for vishing to work.
Finally, targeted voice phishing attempts use specific company or employee information to gain trust. For example, the fraudsters might impersonate a known vendor and call up about payment for a real invoice that they have intercepted, but ask to change the payment account to their own. If companies fail to verify the new account details and match them to those on record, it’s likely that the payment will fall into the hands of the perpetrators.
Real-life example of vishing
In 2019, a successful vishing attempt on an anonymous British energy company led to losses of over $243,000, in under an hour after the phone call itself.
A CEO was phoned by his apparent boss, the chief executive at a parent company in Germany, asking for the urgent transfer of funds to a “Hungarian supplier”. Little did the CEO realize that the voice on the other end of the line was actually a deep fake; an AI concoction that mimicked the real boss’ speech patterns. By applying social engineering pressure tactics, the CEO was convinced and transferred the amount straight into the account of the scammer.
One of the reasons why this example of fraud was successful is the fact that it was targeted voice phishing. The fraudsters knew exactly who the cardholder was, and who had the authority to pay. Moreover, detecting deep fakes is incredibly difficult to do over the phone. But, with an automatic account verification system in place, the payment would have been ruled suspicious and blocked, overriding the authority of the CEO.
What are the main vishing scams?
All vishing scams begin the same way, with the phone ringing and an employee answering.
Then, the fraudsters are likely to impersonate one of these third parties:
- Tax office
- Supplier (invoice fraud)
- Software Company
Tax office impersonation
At a business level, the IRS can be one of the most feared organizations to interact with. This means that there can be a tendency to blindly follow requests when they come in.
Tax office impersonation relies on high-pressure tactics, including encouraging the victim to act fast to avoid adverse consequences. Since there have been many high-profile tax evasion cases, with consequences like imprisonment and fines, employees can feel the stress.
Often, tax impersonators may know sensitive information about your business gained from other hacks and scams. It’s important to only give information when you call the tax office, and not when an unknown number calls you.
Bank account compromise
Contact from false representatives of the bank can also try to initiate payments without cause. By appearing as a reputable company, with trust and history already built, it’s fairly common for banking impersonators to dupe company employees.
In fact, in 2022, over $330 million was lost due to banking scams over the phone. Again, with this type of voice phishing, the fraudsters are likely to come in knowing details about your business to appear more legitimate. It’s important to verify the identity of the caller and refuse the pressure of suspicious payment requests.
Invoice fraud could be one of the most common types of vishing; as IT security firm Quostar knows all too well. In 2019, one of the executives received a phone call from an alleged supplier, asking to be put through to the CEO to make a payment on account. The supplier was known to the company, but the caller wasn’t their usual contact.
Thankfully, the CEO was unavailable at the time and since he was the cardholder on this supplier’s account, the fraudster simply asked for a callback. With specific details about the CEO and the supplier, this fraud attempt was particularly alarming.
Quostar executives later found out that the true supplier had suffered from a data breach in the days prior, which is why the criminals had access to their credentials. Without a proper fraud detection or prevention process in place though, this likely would have resulted in a successful fraud attempt if the CEO was available.
Similar to the above example, vishing attempts can be perpetrated by impersonating the CEO. Here, criminals take advantage of highly advanced techniques like voice imitation software to perfectly mimic the voice patterns of CEOs or senior executives.
By applying AI to their robocalls, the fraudsters can adapt to whatever their victim says, making the entire scam more realistic. Although CEO fraud typically happens through standard phishing over email, telephone perpetrators are a growing concern.
This is a particularly successful method thanks to the realistic impersonation and manipulation of the company hierarchy. Any fraud detection and prevention methods must therefore take this into consideration in order to be effective.
Software company impersonation
In a similar fashion to supplier, CEO, bank, and tax office impersonation, fraudsters may also try to gain access to your sensitive information through your IT systems. And if employees aren’t in the know, they may well approve external access, ransomware or malware upload to the company systems based on a convincing phone call.
Also known as remote access scams, fraudsters on the other end often guide employees to click through on their laptops or desktop computers, granting them access to the system. From there, it’s easy for scammers to lock the company out of their own systems, and either get hold of sensitive proprietary information or make transfers directly.
Learn all there is to know about B2B fraud in our latest fraud report.
How can you spot this type of scam?
The best approach towards vishing fraud detection includes:
- Fraud awareness training
- Suspicious activity detection
Fraud awareness training
It is recommended that all employees attend regular fraud awareness training in order to spot the signs of vishing attacks. These training sessions can ensure that your people know what to look for, and how to fight back.
Events held every 3-4 months should help inform your team members of new and emerging trends within the fraud space. The contents of the training also matter though. As a benchmark, approximately 91% of companies cover “red flags”, but only 31% include scenarios from real life.
Structuring the sessions with genuine examples could make the training more impactful for your colleagues. It’s also more likely to resemble what they’d encounter at work.
Suspicious activity detection
Suspicious activity relies less on your team members, and more on the systems at play. When trying to determine if an action (like a payment) is an anomaly, computer-led statistical analysis is likely to be your best friend.
For example, at Trustpair, we use pattern recognition calculations and machine learning to understand the “normal” behavior of merchants and vendors. When something goes out of the “normal range”, we flag it and automatically block any pending transactions. So when a fraudster tries to steal your funds, they can’t manipulate the system.
By working with online platforms to detect suspicious activity, your team doesn’t only get the benefit of working around-the-clock, but by reacting in real-time too.
How can you prevent vishing?
The best way to prevent voice phishing is by verifying unknown callers, maintaining suspicion even when the caller knows details about the company, and never providing personal information.
But we’re all human. That’s why having an anti-fraud platform like Trustpair acts as a failsafe. By blocking payments to suspicious accounts and bypassing approval hierarchies, we can protect your company’s funds from falling into the wrong hands. Contact an expert right away!
Vishing stands for voice phishing and is a type of scam resulting from impersonation callers. Protect your company against vishing by training employees to be suspicious, verify callers and implement anti-fraud software like Trustpair.