What is vishing? How to spot a voice scam

Greg Jennings
Wednesday 21 September 2022

We are all familiar with phishing. Phishing is a method that social engineering actors use to attempt to trick you into giving away your personal information by email.

Recently, a new method has emerged – vishing (voice phishing). Vishing (or callback phishing) is a technique that combines both email and phone call in an attempt to trick you into giving up your personal information.

How does vishing work?

First, the user will receive an email designed to look as if it has come from a legitimate source, for example, PayPal. The email won’t have a phishing link inside it as traditionally expected but will come with instructions which ask the user to phone a telephone number for whatever reason.

In the PayPal scenario, the sender will ask you to phone them to change or cancel an order if you didn’t make it. The email may also include an invoice type file with fake order details to make the attempt look more enticing. The callback number will most likely be operated by a malicious actor falsely impersonating the target company who will attempt to verbally retrieve your personal details from you.

Below is a recent example we’ve come across.

How to protect yourself from vishing

Fortunately, we haven’t observed any targeted variations of these yet at the University. However, there are an increasing number of reports of these externally. In the event you do receive a vishing email, follow the below guidance to keep you safe:

  1. Do you recognise the sender? Check the actual sending address to make sure it matches that of a legitimate entity.
  2. Analyse the email to understand what it being asked for. Vishing attempts will aim to create a sense of urgency as well as an incentive to entice you in for a quick reaction, much like traditional phishing.
  3. Criticise any attachments or information presented to you to verify its legitimacy. For example, a vishing invoice may be constructed to imitate a company you have never done business with.
  4. Can you spot any obvious or unusual spelling mistakes? This can be a good indicator in spotting such attempts.

If you’re unsure or have a question about an email you’ve received, please forward it onto [email protected] for guidance.

Share this story