Cyber Moment

By Mike Pfeiffer 

CyberFyfe LLC

Welcome back to the Cyber Moment.  Last month we delved into the basics of cybersecurity, emphasizing its importance for small businesses and individuals.  This month, we are pivoting from the promised ransomware column to a less known but equally insidious threat:  Voice Phishing or ‘Vishing’.

What is Voice Phishing?

Voice Phishing is a form of social engineering where attackers use the telephone to manipulate individuals into divulging sensitive information.  But there’s a twist in the tale – some of these attackers aren’t after your data; they want your voice.

The ‘Yes’ and ‘No’ Scam

Imagine this scenario:  You receive a call from what seems to be a legitimate company, asking if you can hear them.  Instinctively, you respond with a “Yes.”  What you may not realize is that your simple affirmative response could be recorded and used nefariously.  Similarly, obtaining a recording of you saying “No” can be equally harmful.  It can be easy to get both “Yes” and “No” in one call, too.

Here’s how it works:  the scammer calls, often posing as customer service from a well-known company.  They start the conversation in a way that prompts you to answer ‘Yes’ or ‘No’.  These recorded responses can be used to authorize fraudulent charges over the phone or to dispute charges you legitimately made, claiming it was not you who authorized them.

A Real-Life Examples

Let’s consider a real-life example:  John, a small business owner in West Central Minnesota, received a call from what he believed was his utility company.  The caller mentioned they were updating their records.  They asked simple questions like “Can you hear me?” and “Are you the account holder?” John unsuspectingly answered ‘Yes’ to both.  Weeks later, he noticed unauthorized charges on his phone bill – charges that were made using a voice recording of his ‘Yes’.

Here is a second example:  The call could be even simpler, like this.  You answer saying “This is Steve” and they respond that they are returning a call from your number they received at 3pm today.  You state, “No, I didn’t call you” and they reply, “Is this Steven?” where you reply “Yes” without thinking because you were asked your name, which you told them when you answered their call.  Now they have you stating your name, answering Yes, and answering No.  That is enough for a bad actor to use.

How to Protect Yourself

1. Be Skeptical:  Don’t answer unknown calls, let them leave a message.  If you must answer such as for a business, be cautious and skeptical.

2. Don’t Disclose Personal Information:  Never give out personal information such as social security numbers, bank details, or passwords over the phone unless you initiated the call.

3. Verify the Caller:  If a caller claims to be from a legitimate company, hang up and call the company directly using a number you trust, like one from their official website.

4. Use Caller ID with Caution:  Be aware that caller IDs can be spoofed.  Just because it looks like a local call, doesn’t mean it is.

5. Report Suspicious Calls:  Report these calls to the appropriate authorities, like the Federal Trade Commission (FTC), to help them track and stop these scams.

In closing, always remember that in the world of cybersecurity, awareness is your first line of defense.  Stay alert, stay informed, and stay safe.  Tune in next month when we explore how a simple risk assessment check-up can prevent compromises before they happen for businesses and individuals.

Stay Cyber Safe,

Mike Pfeiffer, CyberFyfe LLC – 320-228-6954 – Mike@CyberFyfe.com – Facebook