Phone scamming – friends don’t let friends get vished!


As regular readers will know, we write up real-world scams fairly frequently on Naked Security.

RELATED POSTS

Despite ever more aggressive spam filtering, including blocking some senders outright without even seeing what they’ve got to say, many of us receive a daily crop of outright dishonest and manipulative messages anyway.

This sort of spam, better known by the openly pejorative terms scam email or malspam, short for malicious spam, isn’t sent by mere online chancers or vaguely dodgy marketing companies.

We’re talking about unreconstructed scams, straight from outright cybercriminals whose goal is to defraud us.

Indeed, phishing, as email scamming is generally known, is still one of the primary ways by which crooks find chinks in your cybersecurity armour – for example, by tricking you into giving away login passwords, persuading you to open malware attachments inside your company network, or convincing you to pay outgoing funds to the wrong bank account.

But this sort of crime isn’t only conducted by email, which is why we have a range of words that sound like “phishing” but refer to other channels of communication.

You’ve almost certainly heard of smishing, which is phishing conducted via SMS or text message.

You probably use SMSes only very sparingly to talk to your friends these days – IM software such as WhatsApp, Facebook Messenger, WeChat, Signal and Snapchat now dominate the personal messaging marketplace.

But plenty of businesses still use SMS for contacting customers, on the grounds that pretty much every mobile phone in the world can receive text messages – regardless of what other IM software may or may not be installed.

If all the company needs to do is say, “Your one-time login code is 314159” or “We couldn’t get hold of you, click here for more”, an SMS is simple, fast, needs no internet coverage, and will reach you even if your phone is out of credit.

That’s why we’ve regularly written this year about SMS smishing campaigns that take these short, sharp and simple business messages and turn them into lures that trick you into clicking links or texting back, whereupon you get sucked into the scammers’ grasping tentacles.

(Watch directly on YouTube if the video won’t play here.)

Well, guess what?

There are still plenty of even older-school crooks who use a scamming technique called vishing, short for voice phishing.

We last wrote about vishing back in September 2020, when we and other Naked Security readers in the UK began receiving a burst of automated, unwanted voice calls that were clearly designed to get our attention whether we answered them live or listened to them later via voicemail.

The vishing scams we wrote about back then concentrated on home deliveries, something that’s important in the lifestyles of many of us these days, thanks to restrictions on movement due to coronavirus concerns:

Your Amazon order for [several hundred pounds ending in -99] has now been processed. Your [phone product] will soon be dispatched and you should receive it in [a small number] of days. For further information or to cancel the order, press 1 now to speak to an operator.

Your Amazon Prime subscription will auto-renew. Your card will be billed for [several tens of pounds ending in -.99]. To cancel your subscription or to discuss this renewal, press 1 now.

The latest batch of automated vishing that’s been reported to us claims to related to taxes and taxation, a theme that the crooks have been exploiting for years.

Interestingly, the tax office in the UK, known as HMRC (Her Majesty’s Revenue and Customs), recently emailed millions of taxpayers with a genuine – and, admittedly, unsuspicious – message to remind taxpayers all that there were just 100 days left until the cutoff for 2019/2020 electronic tax filing.

We don’t know whether the crooks deliberately timed their vishing to overlap with this official email blast or not, or if it was a coincidence.