Protecting yourself from vishing scams

Keeping you and your money safe is our top priority, and we have stringent safeguarding measures in place to help protect all our customers. But there are also steps you need to take to protect yourself from fraud.

To help you identify potential scams and stay safe, we’re publishing a series of articles on fraud protection. This article looks at vishing scams.

What are vishing scams?

Vishing scams are a type of cyber attack in which attackers use fraudulent communications, often disguised as trustworthy entities such as banks, government agencies, or tech support, in order to gain the trust of the victim, subsequently tricking individuals into revealing personal data.

Vishing scams refer specifically to fraud attacks that occur via telephone calls or voicemail, being a combination of ‘voice’ and ‘phishing’ scams. The goal of vishing is typically to steal sensitive information, gain unauthorised access to accounts, or carry out other malicious activities.

This particular social engineering attack can be tricky to spot, due to its use of telephone calls or voice communication technology, which seeks to deceive individuals into providing sensitive information or performing certain actions.

It’s important to be aware that as voice technology advances, vishing scams are becoming increasingly sophisticated. Scammers seek to take advantage of recipients’ emotional responses, often instilling a sense of urgency or curiosity, which in turn prompts victims into taking specific actions that could compromise their security.

With the rise of voice technology and constant telephone presence, it’s vital to optimise your security measures and know which red flags and common vishing tactics to look out for in order to avoid falling victim to such scams. 

An example of vishing fraud

Josie receives an unexpected phone call one morning. The caller identification shows on her phone screen as ‘HSBC Security’. Appearing to be a legitimate communication, Josie answers the phone.

On the other end of the line a man named John introduces himself, claiming to be a member of HSBC’s security department. John tells Josie that her bank account has been flagged, due to the detection of suspicious activity on her account. John tells Josie that on behalf of the bank, he needs to verify a few details in order to secure Josie’s account.  

John goes on to inform Josie that several unauthorised transactions have been spotted on her banking statement. John tells Josie that in order to proceed with securing Josie’s funds, he will need Josie to transfer the remaining money in her compromised account to a ‘safe account’ while her personal account is investigated.

John assures Josie that her security is his priority, recalling the caller ID displayed when she first answered the phone. John reiterates that time is of the essence, urging Josie to make the transfer before any more supposed damage can be done. Now feeling uneasy and frantic, Josie sends money to the ‘safe account’, which John has provided details for.

The money is now out of Josie’s hands, and John is free to do with it as he pleases, having received it into a bank account of his choosing. Josie later learns that John was not a legitimate HSBC employee, despite his claims and the use of a spoofed caller ID.

With a sense of urgency, fear tactics, and the guise of authority, Josie fell victim to the increasingly common vishing scam.

Five tips on how to protect yourself from vishing scams 

1. Be sceptical of unsolicited calls

Exercise caution when you receive a phone call or voicemail from an unknown or unexpected source.

If you receive an unexpected call, look out for signs of illegitimacy, such as discrepancies between the caller’s claims and what you know to be true of certain organisations.

Be especially wary of calls that imply a strong sense of urgency or pressure. The suggestion that immediate action is required will often push victims to act before thinking. Genuine correspondence scarcely requires such urgency, so think twice when being pushed to act hastily.

2. Verify the caller’s contact details

With any suspicious correspondence, such as an unexpected phone call asking for personal information, or stating that a change of password is required, make sure you check the caller’s contact details carefully.

Vishers often use spoof phone numbers or caller ID’s that resemble legitimate ones but may have subtle variations. Be cautious if the phone number doesn’t match the official domain of the organisation it claims to represent.

3. Don’t provide personal information over the phone

Avoid giving out personal or financial information over the phone unless you have initiated the call and are certain of the recipient’s identity.

Legitimate organisations will never ask you to provide sensitive information such as passwords or account numbers over the phone. If in doubt, contact the organisation directly using official contact information provided on the official website, rather than any contact details provided via message, to verify the authenticity of the request.

4. Be cautious of urgency and threats

Scammers often use urgency and threats to pressure victims into providing information or taking action quickly.

Be sceptical of callers who claim that your account is in jeopardy or that you will face consequences if you don’t comply immediately. Take your time to verify the legitimacy of the call.

5. Register with the Telephone Preference Service (TPS)

This service will allow you to record your preference on the official register and avoid receiving any unsolicited sales or marketing calls. This means that if you do receive a call, you’ll know it’s a scammer on the other end of the call.

You may also want to consider installing a call blocker to prevent irrelevant calls.

Vishing techniques can evolve, so staying vigilant and educating yourself about various types of fraud is key to avoiding such scams and protecting your personal data and cybersecurity.

If someone targets you 

If you suspect you are being targeted or have fallen victim to a vishing scam, it’s crucial to take immediate action to mitigate potential damage and secure your accounts.

If you have lost money to a scam, should report it to Action Fraud immediately, by calling 0300 123 2040 or by using their online reporting tool, and you can report it to the FCA. 

You should then contact your bank as soon as possible to let them know what has happened.

There are various ways to report different types of scams you may have received. Using Ofcom’s scam reporting service, you can use 7726 to report strange calls, by texting the word ‘call’ followed by the dodgy number that has tried to contact you. The service also works for unwarranted text messages.

You can call 159 if you receive a call claiming to be from your banking institution. Calling this number will direct you to a legitimate customer service helpline for your bank, allowing you to check whether the correspondence was genuine or not. The banks involved in the scheme include Barclays, Bank of Scotland, Co-operative, First Direct, Halifax, HSBC, Lloyds, Metro Bank, Nationwide, NatWest, Royal Bank of Scotland, Santander, Starling Bank, Tide, TSB and Ulster Bank.

If you’ve been a victim, you can also get free specialist help from Victim Support. 

More information on vishing scams

Some of the organisations and websites we’ve listed above provide a treasure trove of information, guidance and resources.

As well as checking the FCA’s Register and Warning List, you can also find other information for consumers and firms on the FCA website.  

Action Fraud, the UK’s cybercrime reporting centre, also has plenty of useful resources – as does Victim Support. 

Finally, we’re always more than happy to help our customers. If you’ve got any concerns or questions about the security of your Currencies Direct funds, or need guidance in relation to a transfer, please do get in touch. 

You might also want to read our article on identity fraud, as the two types of scams share some similarities regarding the exploitation and theft of an individual’s personal data.