Protecting your Cardholders from Vishing

During this coronavirus pandemic of 2020, hackers and fraudsters will use all the tools at their disposal to take advantage of people’s fears and generosity, as well as the distribution of money from the stimulus bill. One of the methods on the rise is vishing attacks. 

Vishing — otherwise known as voice phishing —is an attempt by fraudsters to obtain sensitive information from victims over the phone. Fraudsters often take advantage of features such as caller ID spoofing and Interactive Voice Response (IVR) systems. Caller ID spoofing is used to make it look as if a phone call is coming from a financial institution  or other trusted number. The use of automated IVRs allows them to perpetrate the scam at scale.

These scams can be tricky because the fraudster usually has a good amount of information about their target, and in some cases will provide the victim with their own personal information in order give them a false sense of security while on the call.

How It Works

Vishing schemes requesting PINs are not new to financial institutions, and many consumers are educated about the threat of unsolicited phone calls. Most consumers are educated; however, fraudsters have now evolved their tactics to take over a victim’s online banking app, leaving even the educated consumer vulnerable. Once they have access to the account, they can set up external account transfers, change the mailing address, or request a debit card to be sent to the new address. If a victim’s card is already compromised, the fraudsters can request PIN changes or card-limit increases online. 

A typical scheme involves cardholders receiving calls that appear to be coming from their financial institution. Once engaged, the consumer is asked to verify suspicious transactions and is prompted to provide debit card details, PINs, personal information, and/or account log-ins.  

As it releates to the pandemic, new schemes are surfacing with the same goal of extracting sensitive information. These include:

• Requests for donations that aid those affected by the coronavirus
• Calls related to the payment of COVID-19 stimulus checks
• Callers impersonating government agencies
• Miracle cure products
• Offers for COVID-19 test kits
• Solicitations for health insurance

Tips for Financial Institutions

1. Routinely educate account holders about the threat of vishing and provide them with a direct contact in the event they become a victim.
2. Train employees to use consistent customer verification questions when either initiating or receiving calls from customers, preferably with out-of-wallet questions.
3. Consider placing holds on new card requests when an address change has occurred within the last seven days.
4. Utilize behavior analytics to recognize unusual online and mobile banking activity for a particular account holder, such as adding external accounts or log-in times that are not typical for the customer.

Tips for Cardholders

1. Do not respond to calls from suspicious or unknown numbers.
2. Never provide personal or financial information over the phone.
3. If the call from a financial institution sounds suspicious, end the call and call the number on the back of your debit card.
4. Do not provide authentication codes that are texted or emailed to you in response to an unsolicited call.
5. Set up text alerts for your debit card in your online banking app to make you aware of any unusual activity.
6. Be aware that government agencies will never ask for personal information or money.
7. Always confirm the legitimacy of a charity before donating using the IRS charity database, Charity Navigator or Guidestar.
8. Victims of vishing should contact their financial institution immediately, then file a police report with their local department.