Watch Out for Vishing (Voice or VoIP Phishing); Electronic Fraud by Voice Email, VoIP (Voice over IP), or Landline and Cellular Telephone

It’s early April, 2020. While watching TV during the current Covid-19 crisis, I receive a call from a 347 area code phone number. Thinking it’s a business colleague of mine who lives in the outer boroughs, I answer.

Unfortunately, “Roy Callahan from the NYC Police Department” threatens me with a warrant for my arrest within minutes, and states that I need to turn myself into the local police department. So, I reach out to a friend, who tells me that it’s rampant in the region where he lives and similarly happened to him, but they threatened him if he didn’t comply by purchasing a $9000 prepaid card.

Sound embellished?

This happens thousands of times every day. And, it has increased dramatically since we moved to a work from home environment. Law enforcement agencies (LEA’s) ranging from local municipalities to the FBI, and everything in between, are overwhelmed. They can’t compete – bad actors are fast, smart, and ahead of the curve.

These criminals also know how budget, resource, and talent constrained the LEA’s are. The local ones are best at catching shoplifters and pulling over speeding vehicles, not tracking terrorists to their origin across state or federal boundaries. With little interest or coordination and no tools, over 99% of these scams go unresolved.

How Did They Find Me?

First, social networking has created a treasure trove of information. People entrust their name, address, phone number, work history, educational background, and social circles – to the public domain. This is where the risk lies, not the much-publicized hacks at retailers, banks, government agencies, and healthcare organizations.

However, the large exposures at retailers and financial services firms like Capital One, Target, Michael’s and Home Depot, along with hacks at Anthem, United Airlines and the United States Office of Personal Management (OPM), should be of tremendous concern. This information allows perpetrators the ability to triangulate data, and build a rich persona of people like you and me.

Let’s put that in context. Tens of millions of records were exposed, which could be used to go far beyond extortion payments, and move to exploit physical vulnerabilities in executives and military personnel, or regular people.

How Quickly Will I Be Exposed?

According to a 2018 FBI scam alert, victims reported having money illegally withdrawn from their accounts within ten minutes of receiving a vishing call, and another of having hundreds or thousands of fraudulent withdrawals in the days following.

What Can I Do?

As an individual, it is best to be vigilant and use common sense. Regardless of what a “vishing” caller ID says, the U.S. Internal Revenue Service (IRS) will not demand money or account numbers. Don’t fall victim to Vishing’s evil cousin Phishing and click on links in emails which could take you to a malware site – spend an extra two seconds confirming that the email is actually who it is from, not just a familiar name.

Second, it’s best to protect your social profiles online. Facebook, LinkedIn, Twitter, and the trove of other tools have most likely already exposed you. Perform a simple Google search, then move to clean up the public aspects of your online persona.

Third, act like an enterprise to protect your employees as if they were your family. Large organizations have invested heavily in antivirus, drive encryption, email security, and next generation firewalls. None of this matters – phishing and vishing scams go right around these. You need training, ongoing education, vigilance, and technology which is smarter.

“Every second counts” – A key approach to protecting your company and yourself is implementing continuous endpoint visibility on your devices.

The battle for cyber security protection is consuming your resources, from your people to your budget. Threats are faster, smarter, and more targeted than ever before, and are working their way around traditional prevention solutions to get straight to the point; your endpoints. Once breached you have less than an hour before the attack finds additional victims within your organization. Time is of the essence, and since we can’t create more of that, we must focus on maximizing continuous intelligence so your team can make the right decision, right now.

In Closing

Today, people are focused on fraudulent credit card charges, and organizations are locking down endpoints at a record pace.

More has to be done. The criminals are faster, smarter, more enabled – and outside the bounds of the law. While news will continue to come regarding the success of catching large-scale fraudsters and untouchable foreign nationals in China and Russia, there will be thousands of small-scale exploits on a daily basis that go unreported.