Vishing: AI is Powering Voice Phishing Attacks & How to Stay SafeThe landscape of cybercrime is rapidly evolving, and one of the most insidious threats today is Vishing, or voice phishing.  Vishing  occurs when a scammer makes a fake phone call to trick you into revealing sensitive information, leading to fraud.Thanks to Artificial Intelligence (AI), this threat is happening at scale and becoming increasingly sophisticated.

The Threat Amplified by AI

AI is essentially software and a computer, which means it can execute thousands of calls a minute. Bad actors are using AI to scrape the internet, look at social media (like LinkedIn or Facebook), and determine where you might be vulnerable. They use this information to craft a phone call that addresses your interests or exploits your fear and uncertainty, increasing the likelihood of an attack.

Vishing attacks are only expected to increase because AI makes them easier to scale. Furthermore, you should expect to see integrated attacks—where a voice phishing call works in concert with an email or text phishing attack to seem more legitimate.

Red Flags: Recognizing a Vishing Call

The solution to preventing Vishing is often simple education and low-tech ways to block scammers. Always be suspicious, even if the caller ID displays a familiar name or company, such as the IRS, your bank, or even a loved one's number, because caller ID is very easily faked.

Warning Signs that Demand Caution:

  • Urgency and Pressure: The call seems urgent and asks you to go out of your way to comply. The goal is to put you on the spot, making it difficult to think clearly.
  • Unusual Requests: The caller asks for something you would not expect, such as gift cards. Most legitimate businesses will not ask for these.
  • Requesting Sensitive Data: They ask for Social Security numbers, PINs, or passwords. They may also ask you to confirm an account number or PIN to "validate" you. You should never give up any personal information.
  • Going Around Procedures: They ask you to bypass normal security procedures.
  • Specific Scenarios: Beware of specific scenarios like a tech support person calling about an "infection" on your computer, or a dramatic claim that a loved one is in jail or has been kidnapped.
  • Emotional Hooks: Scammers use emotion—often fear or authority—to hook you into giving up sensitive information, such as claiming to be the IRS with people "enroute" to you.

Best Practices: Your Low-Tech Defense Strategy

When you receive an unexpected call, especially if they are asking for something unusual, it's time to worry.

The Best Defense is to Hang Up and Call Back:

  1. Stop and Think: If you feel concern, fear, or doubt, take a breath, take a moment, and think about the request.
  2. Hang Up: If the request seems unusual or urgent, the safest action is to hang up.
  3. Validate the Call (on your terms): Call the individual or company back using a number you know is legitimate. Look up their number on their official website; do not rely on the number given to you by the suspicious caller. The originating call needs to come from you, not from them.

Special Considerations for Business and Family

  • Targeted Employees: Employees in Finance and HR are frequent targets because they have access to funds and sensitive employee information. If you work in these areas, you should already have a safe, established procedure for validating unexpected requests. This procedure should always start with you hanging up and calling a known, legitimate contact.
  • Personal Safety: Vishing can happen on a personal level. Have a conversation with your family and come up with a safe word known only to you. If someone calls claiming to have a loved one, ask them for the safe word. If they can't provide it, hang up and follow up with your loved one directly. The safe word should be shared verbally only and never through text or email.

Be Prepared

As AI continues to change things very quickly, you must be prepared for more Vishing attacks. Give yourself a moment, don't get too excited, and have your plan in place now before you receive the call. Knowing what steps to take is the best way to protect your loved ones and your business.

The Threat Amplified by AI

AI is essentially software and a computer, which means it can execute thousands of calls a minute. Bad actors are using AI to scrape the internet, look at social media (like LinkedIn or Facebook), and determine where you might be vulnerable. They use this information to craft a phone call that addresses your interests or exploits your fear and uncertainty, increasing the likelihood of an attack.

Vishing attacks are only expected to increase because AI makes them easier to scale. Furthermore, you should expect to see integrated attacks—where a voice phishing call works in concert with an email or text phishing attack to seem more legitimate.

Red Flags: Recognizing a Vishing Call

The solution to preventing Vishing is often simple education and low-tech ways to block scammers. Always be suspicious, even if the caller ID displays a familiar name or company, such as the IRS, your bank, or even a loved one's number, because caller ID is very easily faked.

Warning Signs that Demand Caution:

  • Urgency and Pressure: The call seems urgent and asks you to go out of your way to comply. The goal is to put you on the spot, making it difficult to think clearly.
  • Unusual Requests: The caller asks for something you would not expect, such as gift cards. Most legitimate businesses will not ask for these.
  • Requesting Sensitive Data: They ask for Social Security numbers, PINs, or passwords. They may also ask you to confirm an account number or PIN to "validate" you. You should never give up any personal information.
  • Going Around Procedures: They ask you to bypass normal security procedures.
  • Specific Scenarios: Beware of specific scenarios like a tech support person calling about an "infection" on your computer, or a dramatic claim that a loved one is in jail or has been kidnapped.
  • Emotional Hooks: Scammers use emotion—often fear or authority—to hook you into giving up sensitive information, such as claiming to be the IRS with people "enroute" to you.

Best Practices: Your Low-Tech Defense Strategy

When you receive an unexpected call, especially if they are asking for something unusual, it's time to worry.

The Best Defense is to Hang Up and Call Back:

  1. Stop and Think: If you feel concern, fear, or doubt, take a breath, take a moment, and think about the request.
  2. Hang Up: If the request seems unusual or urgent, the safest action is to hang up.
  3. Validate the Call (on your terms): Call the individual or company back using a number you know is legitimate. Look up their number on their official website; do not rely on the number given to you by the suspicious caller. The originating call needs to come from you, not from them.

Special Considerations for Business and Family

  • Targeted Employees: Employees in Finance and HR are frequent targets because they have access to funds and sensitive employee information. If you work in these areas, you should already have a safe, established procedure for validating unexpected requests. This procedure should always start with you hanging up and calling a known, legitimate contact.
  • Personal Safety: Vishing can happen on a personal level. Have a conversation with your family and come up with a safe word known only to you. If someone calls claiming to have a loved one, ask them for the safe word. If they can't provide it, hang up and follow up with your loved one directly. The safe word should be shared verbally only and never through text or email.

Be Prepared

As AI continues to change things very quickly, you must be prepared for more Vishing attacks. Give yourself a moment, don't get too excited, and have your plan in place now before you receive the call. Knowing what steps to take is the best way to protect your loved ones and your business.