Insights > Blog

A Vishing Scam Explored

Author: Bill Bowman is Director of Marketing, North America at Cipher

Phishing is the term for fooling someone into giving sensitive information or credentials via email. This blog, and many others, have written on the topic extensively. Scams also happen over the phone via calls or texting. The variant using calls is known as vishing, the portmanteau of voice and phishing. The texting style is smishing, combining SMS. These are just labels. These techniques and others are simply variants of people trying to fool and scam others.

This phone-call based type of social engineering and fraud is behind massive hacks. The Twitter hack from earlier in 2020 was the result of a teenager impersonating technical support to get access. Scammers both in the US and abroad target seniors and other susceptible groups to the tune of billions. This post will look at a case study of vishing and fraud attempt against me.

 

Student Loan Scams

Like most people, I get many spam calls. As a result, I do not answer a number I do not recolonize or expect. Phone carriers are trying to stop the onslaught of spam calls with a number of initiatives. Most of the time, these people do not leave messages. I recently got a message asking to help with my student loan.

Hi, this is Megan calling with student loan relief. Um, you can just give me a call at (309) ***-****. And, um, I’m actually just reaching out to you regarding your federal student loan balance. We’ve got some good news. You’ve been pre-qualified for the student loan forgiveness program. However, it is imperative that we speak to you just as soon as possible before these programs change. So again, my number is (309) ***-****. So, um, I just hope to hear back from you soon and have a great day.

Being the cyber-sleuth I am, this raised alarms. I do not have a federal student loan! The message itself was well-crafted. It had a casual tone and even some filler words to make it seemed like it was not a recording.

I called the number back. While a recording of the call would inform this blog, I know there are laws regarding recording without consent. The area code was 309, which is in Illinois. Different states have different laws for recording. In that state, the recording is not allowed.

“Welcome to the central process center for student loan assistance. If you are responding to a phone call or text, say that now.”
“Before transferring you, we need to confirm information.”
“Do you owe more than $10K?”
“Is your household info more than $1,500 per month?”
“Great, let me transfer you.”
“All agents assisting other people. Leave your name, number and student loan debt. Someone will call you back.”

The above transcription from memory is how they address inbound calls. From the call, I could see they are trying to qualify people as a target victim and use that information for their nefarious purposes. While writing the blog, a call came in from the same number. I picked up to see what would happen. I got a bit of static and maybe a brief sound of breathing, and the call ended after a few seconds.

 

A Second Call

I got another unknown call while writing and I decided to pick up. This call had a similar angle but was from an automated robot. Again, they said they were confirming that I was over $10,000 in debt before transferring. I answered “yes” to the robot and was transferred to someone with an American accent asking if I was calling regarding loan forgiveness. I informed her that I had a call from this number regarding loan forgiveness, and she hung up.

These systems seem to be trying to qualify people with loan balances and a high enough income to be useful. They then send the person as “lead” as needed. I did not dive deeper down the hole of loan forgiveness shadiness. Other investigators and Internet personalities have gone back and forth with scammers, often with humorous results. The web of phone-based scams is immense. Moreso than email, hearing from an actual person can let people drop their guards. A common target for scammers are people lonely and seeking to talk with people.

 

Warning Signs and Recommendations

The above scenario illustrates the elements of a scheme to scam people. Unless you are expecting a call or text related to something going on in your life, be extremely cautious of new offers or information. There are specific warning signs.  Urgency is in the call. The so-called Megan said these amazing opportunities can change soon. That urgency is designed to make people a bit more irrational because they risk losing a deal.

The call might be too good to be true. Complete student aid relief is not a possibility in the US, despite there being calls for it. If a person is an occasional follower of news and policy, it might seem plausible. If I kept on engaging with the scammers, they might have done a number of things. They might have asked for money up-front in the form of fees or a down-payment. After paying this, they will likely make excuses for the failure of certain actions. The scammer will keep trying to pump the victim for money until the bitter end.

In a business setting, there are different dynamics and warning signs. At large corporations, employees will not know every co-worker of course. If a phone call comes in from someone saying they are in corporate technical support or finance, the potential victim might take it at face value. If the person is asking for sensitive login details or for a money transfer to happen, confirm the request via another channel like email or even face-to-face.

 

Did you enjoy this blog article? Comment below with your feedback.

2 Comments

  1. L

    I just got this exact voicemail from an Oregon number (I live in Illinois) and usually I ignore these things because they never apply to me, but this time I DO have a federal student loan and I’ve been applying for anything to make it easier on me so I almost fell for this one, but I wanted to check before I did anything stupid. Thank you for this!

    Reply
    • wbowman

      Glad it helped!

      Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

GET EMAIL UPDATES

Information Security Maturity Self-Assessment Survey

Learn More

•  Whitepapers
•  E-books
•  Checklists
•  Self-Assessments
•  Webcasts
•  Infographics