Tech & Sourcing @ Morgan Lewis


Broad awareness has been made about cyberattacks in the form of phishing that typically use email messages to lure victims into divulging sensitive information or opening a link that allows malware to infiltrate their device. Companies have learned how to combat phishing by training employees to recognize such scam attempts and report them as phishing to protect their organizations. “Vishing” is another tactic used by scammers that, while less familiar, is no less invasive and dangerous.

Vishing, a term that comes from the combination of the words “voice” and “phishing,” tricks victims into providing personal information over the phone. Vishing scams convince victims to provide passwords, social security numbers, bank account information and other personal data to callers pretending to represent an organization that requires sensitive information, such as a governmental authority or the victim’s financial institution or utility company.

In order to appear as if they are legitimate, vishing scammers use local area codes and text message prompts to cover their tracks. Oftentimes a vishing attempt will try to persuade the victim to act quickly in response to a (falsely) urgent situation such as a lost child, medical emergency, or once-in-a-lifetime opportunity. These attempts can target hundreds of phone numbers at once, casting a wide net of potential victims, including employees that could provide unintended access to corporate computer systems.

Closely related to vishing scams are “smishing” scams, which follow a similar theme and approach to vishing strategies, but via text message (SMS) instead of over the phone. These text messages might include a link to click, similar to a phishing attempt. Smishing attempts may identify victims by name or may appear otherwise familiar to a victim, leading them to mistakenly trust the source of the message.

There are a number of strategies to combat vishing and smishing and firms should consider adding these strategies to their phishing training:

  • Confirm the caller’s identity before returning a call to an unidentified number, including those from a local area code. When in doubt, contact the institution directly that appears to be making the call through verified public contact information.
  • Let unknown numbers that appear in call waiting go to voicemail and return the call if appropriate.
  • Do not speak or push numbers to automated calls, as that information can provide the personal information needed to infiltrate systems.
  • Register with the federal Do Not Call Registry, as legitimate companies generally avoid calling numbers on this list.
  • Like phishing, report vishing and smishing attempts to your company’s cybersecurity team immediately.

As we described in last week’s Contract Corner, it is important to keep current with the latest security threats and protections with regard to your security policies, training and documentation.