With fraud on the rise, especially online, protecting information such as your bank details is more important than ever. In addition to popular methods such as email or SMS, fraudulent schemes can also be carried out by making a simple telephone call. In this article we explain how this scam works and how to identify it so that you don’t fall for it.

Let's imagine, for a moment, that you receive the following phone call: someone, who refers to themselves as an employee of the bank in which you hold an account, tells you that your credit card has been unexpectedly blocked and that, in order to unblock it, you must urgently confirm your card details. They ask for the expiry date and the card verification code (CVC), information that your bank would never ask for.

These types of calls, known as ‘vishing’, are more common than we think, so we must be prepared to identify them and prevent a third party from obtaining our bank details. 

What is vishing?

As already mentioned, vishing is a type of scam in which criminals try to trick their victim via a telephone call. They usurp the identity of another person or, as in the previous example, of an organization such as a bank. They may also usurp the identity of an energy or gas company, or any other company that could serve as an excuse for establishing a communication. In any event, the aim is to steal personal or bank details or even convince people to transfer their money to the fraudsters.

The channel used to carry out this scam is what differentiates vishing from other methods such phishing (carried out via email) and smishing (carried out via SMS). Moreover, it is known as vishing because it combines the use of voice and phishing techniques.

How does vishing work?

The main tool used by scammers – or vishers, as these type of scammers are called – to try to obtain the information required or convince their victim to carry out a certain transaction, such as a money transfer, is social engineering. It is a set of techniques that vishers use in telephone calls to manipulate their target and gain their trust, in order to obtain the details they need. The three most commonly used methods, in terms of banking, are:

• Direct call. The fraudster makes the call, pretending to be an employee of the bank. It is likely that, before making the call, the fraudster has already obtained some details regarding the victim that serve to make the scam more believable and to build more trust. These details could include information such as the name of the telephone company used by the victim or of the video platform to which they subscribe, which are usually paid by credit or debit card. In fact, it is sometimes the victims themselves who publish certain compromising data or buying behaviour on social media. Therefore, the potential victim is more likely to believe the cybercriminal and give them the information they request.
• Double call. This is a more elaborate method in which the scammers gain even more trust among their potential victims. Using a recorded message, usually generated by a robot, the victim is informed of an alleged problem, such as unauthorized access to their digital banking app, and they are given a telephone number which they can call to resolve the issue. When the victim calls that fraudulent number and gives the information requested, including their log-in details, the scam is completed.
• Combination of techniques. Criminals also often use additional methods to improve their vishing schemes. For example, instead of making a first call to the victim, they send a text message (smishing) so that it is the victim who calls a telephone number that appears to be from their bank, but which is actually monitored by the scammer.

How can we protect ourselves from vishing?

Instead of getting alarmed, a very easy way to avoid this type of fraud is to be alert, informed and to take some simple precautions, such as not sharing your personal or financial data or security codes.

• Do not disclose information over the phone. Keep in mind that banks already have your name and ID as well as the numbers of the cards or products you have contracted, so they will never ask you for this information. If you receive a call requesting this type of information, do not disclose it. Notify your bank through reliable customer service channels and alert the cybersecurity managers.
• If they offer you prizes, beware. Scammers try to capture your attention with promotions or conditions that are too good to be true in order to convince you to provide them with the details they request for fear of missing out on this opportunity. For example, you are asked to give your bank account details so that the money from a prize draw, which you have not entered, can be deposited into your bank account.
• Keep your information safe. Fraudsters can make use of any information that will help them launch their attack by way of a phone call. For example, when you are in a public space, never let anyone see your passwords or share personal information, such as images with your ID or telephone number or bank card details, on your social media.
• Be wary of unknown telephone numbers. Some smartphones alert you that an incoming call could be a scam, i.e. a number detected as suspicious. Not answering those calls, as well as calls from other numbers you are not sure of, such as international calls from countries you have no ties to, is the first step in reducing any risk.

If you would like to learn more about this type of fraud, this article (in Spanish) on the Tu Futuro Próximo website (a blog produced by Santander Consumer Spain) provides further information on vishing and how to avoid it.