Vishing calls are not new. They have been happening for a while but after an incident at one of my clients recently and then a discussion with one of my groups, I thought I would cover it here. You can stop reading know if you think you know it all!
There was an incident at one of my clients where one of the senior management team had been contacted by “HMRC” about underpaid tax. I should say that this client works regularly to raise awareness of vishing and phishing (Email requests for information). Anyway, back to the story, the director took the call on his mobile and the person the other end said they had underpaid tax but before they could go into any further details they would need some information from the person. This information consisted of name, home address, work address, date of birth, and national insurance number. The director provided all this information without much thought. He then rang the payroll person to ask for more details about his tax payments. When the payroll person arrived she knew it was a vishing call. The director is on a salary and PAYE (and has no other employment), so there wouldn’t be an underpayment. The director asked her to speak to the caller and when she asked the caller what the directors tax reference was, they hung up. A bit too late as the director had given them lots of personal information, which was very unfortunate.
This started a discussion with the client as to whether people were more likely to recognise a vishing call made to their home or to their work. It seemed from this discussion that people were more wary at home and suspicious of unknown callers, whereas at work they tended to think that the caller was more bona-fide and more likely to provide information.
We decided we would run campaign at the client not to raise awareness but to handle suspicious calls which seemed to be the missing element in their awareness training. We decided that the best advice whether at home or work was to take control of the call. Tell the caller that you do not provide information over the phone to incoming callers and that you will call them back, if they provide their full name and department and regional office. Do not use the phone number they give you but look it up online. It should be remembered that most government departments, banks, etc do not make calls to individuals.
What are your thoughts, more vulnerable at home or work to vishing calls?
As an aside, 10% of the data breaches reported to the ICO for the last quarter of 2019 were as a result of a successful phishing or vishing campaign.