I got a call today at work. It was a recording that alerted me that my social security number (SSN) is about to be suspended! The call said that I should call them back quickly in order to prevent this from having a negative impact on my life. I was given a phone number in Texas somewhere and was told to call it right away.
I had hoped that I’d be able to speak to someone who worked for the Social Security Administration in order to find out what happened—and to also ask why I had not received notification in the mail about this either, but it was quickly apparent to me that the person on the other end was simply after my SSN.
Sounds scary, right? Does it make you want to follow instructions? Well, don’t. This call, and many calls like it, are examples of vishing. These recorded scam calls are designed to get you to surrender personally identifiable information (PII)—in this case, your social security number—so that the attackers behind the scam can take your money, steal your identity, or make your life a living hell.
Protecting Yourself from vishing attacks
The most important thing to know is that these attackers rely on fear, uncertainty, and urgency to get you to give them sensitive information. These vishing attacks are designed to sound like an official announcement outlining some type of consequence. The goal: if they can make you think something is off with your social security number, credit card information, password to your computer, bank account, etc., they might be able to get you to confirm what that information is over the phone.
You combat this by staying calm and thinking logically. If you take your emotions out of the situation and think about what’s being asked before abiding, you’ll be less likely to fall for these vishing scams. Here are some things to think about when a call like this comes in.
- Your social security number (SSN) won’t ever be suspended; it follows you beyond the grave. More than even your name, your SSN is the government’s unique identifier for you. It’s used to open utility agreements, associate you to your medical billing, open loans or mortgages, and more. The government is not going to block your access to those things.
- The Social Security administration won’t call you or email you with something like this. The information is too easy to intercept with those methods. For that reason, they prefer and use snail mail. You’ll get a letter first if something bad is happening or your action is required. They won’t call you with a robot, and they likely won’t ask you to confirm your SSN by phone, either.
- Do some digging and confirm the number. The Social Security Administration (and any legitimate organization) will have their phone number listed on their site (their main line is 800-772-1213). Instead of telling your SSN (or other personal information) to the inbound caller, hang up and call the number on the site. They’ll be able to tell you if there is a legitimate concern against you. Or, at minimum, you can see if the phone numbers match.
- If they do match, you can also hang up and call the number right back. If the attacker is spoofing the organization’s name or the phone number on your caller ID, calling it back would take you to the legitimate organization.
- Let unknown calls go to voicemail. You take some of the urgency and emotion out of a call if it’s on your own terms. Plus, then you can avoid being persuaded by an attacker, and you can do some research on the number and concern before reaching out to the Social Security Administration (or whoever else your handles the information in question).
- The Federal Trade Commission’s website lists known types of scams. Cross-reference the phone request with their site to see if it’s a known scam.
- If you find the activity to be suspicious, report it to the organization, bank, Social Security Administration, or whoever handles the information in question. They’re more likely to be able to catch the attacker if the call information and the personal information the caller requested (and how) are documented.
The most important thing to know is that these attackers rely on fear, uncertainty, and urgency to get you to give them sensitive information. Don’t panic.
I personally like to waste their time by asking them boring questions, asking them to repeat their request, and (from time to time) rewarding them further by pulling out the bear whistle we have at home and blowing it into the microphone of the phone.
If you get one of these calls (and aren’t prone to mischief the way I am), consider some of the above tips, confirmation methods, and intel-gathering methods to help you determine if it’s fake and to help you avoid falling in an attacker’s trap.
And if you’re curious whether your team would handle vishing attacks responsibly, we can help. Learn more about social engineering at frsecure.com.