"They called me and I ended up sending money to a scammer": here's how to avoid falling for "vishing".

 

Despite having the most sophisticated technology, cybercriminals often resort to the most technically archaic methods, such as phone calls. A user receives a call from a so-called Microsoft technician warning him that his computer has a virus and that he should follow his recommendations to solve it. The so-called specialist tells him that he should download a remote control application so that he can handle the incident himself. Thus, starting from a more or less common and probably alarming problem, such as malware on the personal computer - the fear of any user - cybercriminals manage to get unlimited access to the victim's computer and, with it, to all the information stored on it.

More information

Such an assumption could open the door to another set of crimes, such as the theft of documentation and personal information, bank identifiers and even the purchase of crypto-currencies. "If you have the typical file with the scanned ID or other important documents, they could bill you, sign you up for services... You could be the victim of more fraud on your behalf or even extortion," warns Ruth García, cybersecurity technician at the National Institute of Cybersecurity (INCIBE), who adds, "While it is true that many users start to notice strange things along the way, rule out continuing and do not follow instructions, many others end up being victims because, believing that it is really a technician, they accept your requests. In these cases, it is essential to act as quickly as possible.

"I just got a vishing call and sent money to a scammer. I have already filed a complaint with the police. Do you have insurance against this? Is there anything else I can do?" That was the question posed by a Twitter user to the official Bizum account last December, right after he was vishing. He's not the only one to share the trance on that network. Another user who warned her followers about the scam tells this newspaper that, although she did not take the bait, she received a call in which she was asked for a code that was supposed to reach her cell phone to access her bank account. "The caller ID was indicated as Banco Santander," she explains.

According to García, it is not uncommon for cybercriminals to forge or supplant numbers so that the company's customer and potential victim appear as their company. "Although the number appears to be correct, they have successfully forged or hijacked it. The same goes for emails and SMS messages," the technician insists. This makes it difficult for the user to know at first that it is a hoax.

Most of the time, the payments requested are very low, because if you are the victim of a three-euro debit, for example, it will be more difficult to report it. They do this precisely "so as not to arouse suspicion", according to the technique. "It's easier for a user to fall for a scam like this than a big one, where alarms are more easily triggered. It is more profitable to deceive, for example, a million users who pay two euros, than a few for more money, "he insists.

If you fall into the trap, it is important to do some egosurfing and search the Internet to see if personal data is on sites where it should not be. In case the user has managed to install remote control tools that allow the cybercriminal to access their computer, the first thing to do is to uninstall them, disconnect the device from the network as soon as possible and perform an antivirus check in case more have been downloaded. files that could continue to send information to the attackers.

Impersonating trusted companies or entities to obtain personal data through a simple phone call remains a very common scam attempt in Spain. One of the most common strategies is to impersonate a member of the technical support of a technology company, and Microsoft is precisely the company that has suffered the most in recent years: 36% of the times that this type of company is impersonated, they impersonate it, according to a study commissioned in 2021 from YouGovdata and the Market Analysis Entity.

Each month, the Bill Gates-founded multinational receives about 6,500 incidents worldwide, compared to as many as 13,000 in previous years. INCIBE's cybersecurity technician explains that this is due to the fact that "the potential victims are much more numerous than those that can be found among Linux or iOS users." According to the Statista portal, nearly 89% of PC users worldwide have installed this operating system, compared to 8.5% for iOS and less than 2% for Linux.

Ruth García assures that INCIBE has identified an upsurge in vishing cases in recent weeks. According to Commander Alberto Redondo, head of the Cyber Criminal Information Group of the Guardia Civil's Judicial Police Technical Unit, "these are fairly active campaigns, although they have temporary peaks. There are more cases for a few months and then there is a quieter period. But unfortunately, they are quite frequent. Among the companies most likely to be the subject of identity theft, besides technology companies such as Microsoft, are electrical entities and banks.

Most of the time, these scams are hatched by organized crime. "These are gangs that have telemarketers who open the first door. The vast majority of cases don't pan out, so they do an initial screening and once they see that they can hook the victim, they transfer the calls to higher quality scammers who have technical knowledge and invite them to install the remote control software for example. Another part of the criminal organization is in charge of managing the stolen data or payments. There are a lot of people behind this who are organized in different branches," explains Commander Redondo.

Although not the most common, cybercriminals may look up information about the victim on the Internet to better orchestrate the scam. "This is very useful if, for example, you want to commit fraud on behalf of an electric company and the user has contracted a service with that company because, if you are not a customer or user, it is more complicated for you to fall victim to the cheater. If they are looking for information, there will be more victims than if they call users indiscriminately," explains the INCIBE technician. However, "in general, they are not looking for specific people, but they take a bag of data and start calling," insists the commander.

The thing to keep in mind when you get a call from a supposed company, especially if you are one of their customers, is to determine if you were expecting a call. "If you weren't expecting it, be suspicious," Garcia warns.

Assumptions that should prompt distrust include, "If you are a customer of the suspected company, but they are selling you information that is strange to you or that you don't fully understand, it's best to cut off communication and go directly to the entity's official contacts. If you can't hear well, if there is a lot of background noise or if you feel that the person you are talking to doesn't understand you, if communication is cut off or if they don't know how to answer the questions you are asking, be wary. Sometimes they don't answer or hang up. If they ask you to provide personal information that a company you are a customer of should know, same thing. And you can also be suspicious if they send you to install something, whatever the pretext," García says. But above all, you have to use common sense. Although sometimes the trick is for the caller to spout a series of technical concepts to confuse the victim.