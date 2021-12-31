Frauds with text messages that pretended to be from a bank or commercial house are now a thing of the past. Now cybercriminals use another tactic to deceive their victims: they make phone calls that with the help of bots (interactive software that makes automated) they steal access to all kinds of accounts.

It is a type of scam in which recipients are tricked into revealing personal information. A cybercrime in which when you answer a call you never know with certainty who you are talking to or if you are being attacked by “vishing”, a word that comes from a combination of “voice phishing”, that is, an attack by phishing that uses the voice.

Matilde Rivas, Research Engineer and Technological Transfer of the Millennium Institute Fundamentals of Data, explains that vishing is the new trend in phone scams, “In which the scammer pretends to be someone trustworthy to get personal or financial information from the respondent.”

It is similar to what mail fishing was, where fraudulent emails were sent, to deceive with links so that the user would click on and redirect them to certain pages, indicates José Canuman, an academic from the University of Magallanes and certified instructor in cybersecurity, “It’s the same here, but by voice.” It is not a new technique. It is quite old, “but the concept now is that, as the more digital value of things has spread so much, this technique has re-emerged.”

The term phishing was first used around 1990. It described crimes that used the Internet as “bait” to catch their victims. Today it is associated with scams based on social engineering, that is, scams that They try to manipulate people into a trap.

With the evolution of cybercrime, the terms “smishing” and “vishing” have emerged. Both are classified as types of phishing. In the case of smishing, criminals send text messages (SMS) to try to convince the victim to click on a malicious link or reply to the message by providing their details. All the process is limited to exchanging text.

In contrast, in vishing attacks, there is a voice contact at some point during the fraud attempt. The initial sending of an SMS only serves as a first cheat to confirm that the number really belongs to someone or simply to induce a potential victim to call a number so that the criminals can continue the attack.

In vishing, through bots they seek convince unsuspecting users that this is a legitimate call and are used to obtain one-time passwords (OTP) or verification code, also known as two-factor authentication (2FA) or two-step verification. “In this way, they manage to access user accounts in services such as PayPal, Amazon, Coinbase or banks, among other services,” he says. Camilo Gutiérrez Amaya, Head of the ESET Latin America Research Laboratory, company for proactive detection of threats on the web.

It is a type of scam that mixes a traditional phone call with social engineering, he explains. Fabián Rodríguez, CEO of Camel Secure. “In general It is quite focused since the cyber criminal knows things about you, such as which bank you are in or other relevant issues. It is quite common that after they talk to you, they convince you to carry out an action, for example, that you deposit in a bank account or give them your access code so that they can carry out some type of transaction ”.

They can pretend to be a bank executive and say that the account has been compromised and that they need some data to solve the problem, says Rivas: “Some scammers have come to use edited recordings of famous people to build credibility, so we have to be cautious and always confirm the identity of the person speaking to us ”.

In traditional telephone scams, it is the criminal himself who seeks to convince the victim on the other end of the telephone. “In these cases, the risk that the victim realizes that it is a fraud depends to a large extent on the skills of the criminal on the phone,” says Gutiérrez. However, many companies today use bots to provide customer service, and the Familiar sound due to lack of personalization contributes to the victim not suspecting that something is happening.

Scams that have increased in times of pandemic. According to the statistical report of the Cybercrime Investigation Brigade, the number of complaints received by the PDI for scams and other fraud, through the Internet, increased significantly during the pandemic: 29% when comparing 2019 with 2020, and a 89% if the first five months of 2021 are considered with the same period of the previous year.

In that phone call, Rodríguez adds, they give some information that only the person could know “or at least that’s what they make you believe, so that after taking some action, it could be the typical deposit, WhatsApp code or another, the idea is receive some data from the person with which they can do fraud ”.

Many vishing calls start with the scammer posing as a bank employee and telling the victim that there has been suspicious activity or other problem with their bank account. To solve this problem, they will need to call a toll free number and speak to a representative. This call will go to the scammer, who will write down the victim’s account information and then use it to transfer money out of the account.

Another tactic used in vishing scams is links that offer the opportunity to pay less than the original amount of debts or to make investments with high-yield promises. Are “Offers” are usually for a limited time, so the person must act immediately and call the number indicated.

It is currently one of the most frequent cyber scams in the world. Rodríguez explains that since the target audience is by telephone, “it is not necessarily technologically educated with these scams ”.

In addition, today much of the information that can be used in these crimes is on the web. Through social networks and job sites, data can be obtained such as the name, title and company of the victim.

This is a social engineering technique, Canuman says. “Unfortunately there are some cases in which there is no immediate solution through an automatic system. He generally attacks people based on his knowledge of the system. That is why many banks, for example, what they do is offer on their platforms advertisements indicating that no reference data of your accounts is delivered, Y the same in social networks too, the emphasis is on prevention towards the customer, but there is automatically no indication that one could stop fraud ”.

Often times, older people are the victims. That is why specialists agree that the simplest advice to stay safe on the phone is, when in doubt, hang up. “If someone calls us saying there is a problem with our bank account, we should not give any information, hang up, and call our bank using the official number to ask about it ”, warns Rivas.

The first step in protecting yourself against vishing attacks it is being aware of how they happen. Therefore, they indicate, any unsolicited contact should be viewed with skepticism. They call to be especially careful with calls with special offers and especially with requests for personal information. “The first thing is to distrust any unknown call that asks you for information, the second is that, if something is very good, surely it is a lie and finally when the product or service is free, surely the service or product is you ”, says Rodríguez.

When receiving any type of message that indicates that a telephone number should be contacted, it is best to first investigate whether the telephone really belongs to a legitimate company or institution, Gutiérrez indicates: “The main recommendations to avoid being a victim of this type of fraud are: upon receipt of a suspicious call, verify its source. It is also important to distrust the origin and in case of being something doubtful, finish the communication as soon as possible. If the person who contacted us claimed to be from a company with which we are associated, it is advisable to communicate with the company through official communication channels ”.

When identifying that it is a scam, the first actions to take are to report and block the number. If the victim has already provided their financial information, contact the bank and other institutions as soon as possible to inform them of what happened and request the blocking of the card and change of passwords.