Cybercrime in the Form of a Phone Call

When people hear the term cybersecurity, they often think of digital attacks against electronic information systems secured by sophisticated software. Though this description is accurate, it isn’t comprehensive. Cybersecurity includes non-digital elements, such as physical security and human psychology. In fact, one of the most common cyber scams, known as phishing, relies on deception to manipulate people into sharing confidential or personal information through email. 

When cybercriminals leverage phishing tactics over the phone, the threat is called vishing.

What is Vishing? 

Vishing is the act of using deception and manipulation, also referred to as social engineering, over the telephone to gather sensitive information about a target. Criminals exploit the information for financial gain. Vishing is also known as voice solicitation, phone fraud, and voice fraud.

Ohio School District Loses $1.7M in Vishing Attack 

In December 2023, hackers used a vishing attack to trick West Claremont School District employees into changing ACH payment details, resulting in a $1.7M loss. The district responded by updating policies to require multi-step verification for ACH changes and prompt reporting to law enforcement.

How Does Vishing Work? 

Vishing scams can use multiple social engineering tactics to convince targets that compliance is in their best interest or in the organization’s best interest. 

Spoofing 

Spoofing occurs when criminals disguise their phone number to appear local or familiar, tricking victims into answering. They can also spoof your number to impersonate you when contacting financial institutions or business partners to steal sensitive information.

Masquerading 

Attackers often pose as trusted figures—like tech support, contractors, banks, service providers, or law enforcement—to pressure you into revealing sensitive information

Fear 

Vishing attackers often exploit fear to extract sensitive data, claiming issues like infected computers or overdue payments. They may use technical jargon and fabricated evidence to appear credible. Victims might be directed to malicious websites, asked to change banking details—as in the West Claremont case—or pressured into providing credit card or bank account numbers under the guise of support or processing.

Prevention 

Now that you know how vishing attacks work, how can you stop them? 

1. Stay vigilant: Beware of calls or texts from unknown or spoofed numbers. Even familiar-looking numbers can be faked to gain your trust. Legitimate IT support will not contact you unsolicited, and any unexpected request for personal information should raise immediate suspicion.
2. Hang up and call back: If an unsolicited caller asks for sensitive information or urges immediate action, end the call. Use a verified contact list to reach out directly to IT support, vendors, or financial institutions—this reduces your risk of falling for a scam.
3. Anticipate: Identify high-risk departments like accounts payable, HR, and finance that are likely vishing targets. Train staff to recognize suspicious calls, and run practice drills to build confidence in spotting and stopping scams. 
4. Question motives: Be skeptical of unexpected or unidentified callers. Ask why they need the information and why they don’t already have it. Taking a moment to assess intent can can reduce the risk of sensitive  information being shared.

Fraudulent Instruction Requirement for Fund Members  

The Fund Data Privacy and Information Security Coverage Agreement requires members to authenticate third party payment-related instructions independently from the received communication. Do not rely upon contact information within the payment request communication when contacting third parties for authentication purposes, and always verify contact information changes that occur during your relationships with third parties. If you don't authenticate the instruction as indicated under § 4.29 (A), coverage likely will not apply. Please read § 4.29 of your coverage agreement and make sure you understand the terms.

Editor's note: This article was originally published in 2019. It has been updated for accuracy and comprehensiveness.