Vishing and Smishing
What is it?
Vishing – or voice phishing – is a type of fraud that is enabled via social engineering. Social engineering is the manipulation of situations and people that results in the targeted individuals divulging conﬁdential information.
Vishing involves a fraudster phoning a company in order to convince a member of staff to reveal sensitive company information or make a payment.
Most commonly, fraudsters make an unsolicited call pretending to be from your bank, so they can ask you to reveal confidential information or make payments to account details provided.
Smishing is similar – but is carried out through SMS text message.
How does it happen?
Fraudsters will call or text purporting to be from the police, utility providers, delivery companies or even your bank.
They may claim that your account has been compromised, suspicious activity on the account, or that a payment has been made by the business using incorrect bank details. Caller IDs or numbers on display are relatively easy to change or spoof. Fraudsters have been known to convince people a call is genuine by getting them to cross-check the incoming call number with the official number of the bank, however fraudsters can use technology to spoof numbers which make them appear to be coming from a genuine source.
Smishing, on the other hand, is where the fraudster targets a victim via a text, often purporting to be from their bank, in order to convince them to reveal sensitive financial information or transfer money into other accounts.
The text often contains a phone number, which connects you to the fraudster. As with vishing, details can be spoofed, so it can seem as if the texts are coming from a legitimate source and they can even be inserted into genuine text communications with the bank.
Be more like Derek – an office legend
Derek has become an office legend simply by spotting scams and, in turn, saving his company big money. Want to know how he does it? See Derek thwart a fraudster’s attempt at invoice fraud
- Do not assume a caller is genuine because they know information about you or your company – fraudsters are skilled in collecting enough information to sound convincing and can change caller display IDs to a genuine number.
- If you are suspicious, terminate the call and call back using your usual contact number, and not one provided by the caller.
- Remember that your bank may ask you for some information, but will never ask for your full password or PIN, payment authorisation codes, provide you with details to make a payment, or request that you grant them access to your systems or PC.
- We will never text clients a link that leads to the online banking log-in page, or to ask for confirmation of account or security details.
- Make all staff aware of this type of fraud, particularly those that make payments.
A case study:
The client received a call from a male claiming to be from Barclays. The caller’s number appeared on the client’s display as a genuine Barclays number. The caller advised the client to use the online phone number checker to verify the call is genuinely from Barclays.
The caller told the client that their account had been accessed from a suspicious location. The caller advised the client that they would need to block all of their accounts, this would need to be done manually, by sending payments with the reference “BLOCKTHISACCOUNT”. A total of 9 payments, totalling £156k were made by the client following these instructions.
Barclays’ fraud prevention team identified the unusual beneficiary names and references on four of the payments which were held, and called the customer to ask for further details.
During the call with the client it became apparent that they were also on the other line to someone from the fraudster impersonating Barclays. The client was informed of how vishing scams work and they were advised to hang up on the other caller.
Initially the client was confused and did not know who to believe. Barclays provided relevant information so that the client could independently verify the genuine call and be confident they were speaking to Barclays.
Fortunately, on this occasion this scam was averted due to the unusual reference used and the banks internal fraud detection systems, but fraudsters have been known to be so convincing that clients have disregarded the banks advice, and demanded that payments are released.
What to do if you think you're a victim?
If you believe you may have fallen victim to a vishing scam, contact us immediately. Our team will try to recover the money from the fraudster’s bank account. The quicker you alert your bank, the greater the chance of recovering the funds.
Report it to ActionFraud – the police’s national fraud and cyber crime reporting centre. Even if you’ve not suffered any financial loss, this will allow the police to analyse trends and help them to prevent fraudsters exploiting other companies. You can file a report via their website at www.actionfraud.police.uk^.
If you have any queries, please speak to your Relationship Director.
If you fall victim to fraud on your Barclays payment channels, call the Online Fraud Helpdesk immediately on: 0330 156 0155*
Fraudulent attacks, even if unsuccessful, should be reported to Action Fraud by calling 0300 123 2040.