“Good morning N (our name), we are from the energy company X (name of the company we have contracted), we have verified that you have a very high cost on your electricity bill due to the ‘gas cap tax’ and we want to apply a compensatory discount to this tax that the Government forces us to impose on you; we just need you to confirm that it is you who we are calling so that from now on you will never have to pay this tax again”.
Why is it important (for him and for you) that your bank requires double verification when you buy online
with this call a supposed operator can put us on alert and encourage them so that the “confirmation of our identity” ends up being a transfer of data confirmed by telephone, in this case to make us an unwanted and non-consensual change of electricity company.
Because the alleged operator did not actually belong to our energy trading company but to a rival and has used a technique called vishing to impersonate an operator and carry out a fraudulent operation.
In this case it is a change of company, but on other occasions what is at stake is our money, as in the case of the Facua partner who was robbed of 29,000 euros through this technique and which we report in this article. Or as in the case of the already classic Microsoft scam, whose audio you can hear in this other article.
Also recently the Civil Guard has arrested two people that they had allegedly stolen more than 2,800 euros, by telephone, from an alleged unpaid invoice derived from a computer failure due to the merger of Liberbank and Unicaja.
In short, where phishing used email or SMS to steal our data and with it our money, the vishing blow up the phone line to apply their social engineering and create a state of alarm that makes us vulnerable to the transfer of sensitive data.
The Internet Security Office (OSI) have cataloged this modality and defines it as a scam where “the cybercriminal pretends to be customer service to inform us, in the case of banks, that someone has accessed our account and/or card, that they have charged them , or to ask us to give you information about our digital signature”.
“In the case of gas and electricity providers, fraudulent calls are made with the aim of capturing personal data. It is not ruled out that they are calling users pretending to be any other service or company in order to deceive them and steal their personal and banking data”, adds the agency.
The vishing It works thanks to personal data that cybercriminals have previously obtained, usually through security breaches that affect companies. From there, with information such as our name and telephone number, they can obtain more sensitive data and carry out the scam with it.
The mechanism, according to the OSI, consists of calling the victim, alert you to a strange charge on your account, or an extra charge from your service company, to get you alarmed. From that moment on, the impersonated person will try to calm the victim by promising to solve the problem.
The problem is that to solve the problem the operator needs verify customer data and that is when they manage to get us to give them to them without realizing it, perhaps believing that they already have them beforehand.
Such as Caixabank explains about it:
“The fraudulent calls (vishing) they are the order of the day; cybercriminals are increasingly sophisticated in their arguments to deceive their victims, using various strategies to do so”.
The entity highlights the following:
- Impersonate the calling phone (Caller ID Spoofing) so that it is the same as that of a customer service center of any bank.
- Know perfectly how the entity’s electronic banking works and therefore guide the client through the menus to achieve their goal.
- Use the most convincing arguments, such as helping us to retract an alleged fraudulent charge so that we can recover our money.
How to prevent vishing
Caixabank explains that “if someone contacts us, claims to be from our bank and asks us to provide personal information, bank information, secret passwords that will reach us through text messages to our mobile or if suddenly, they guide us step by step. I go through online banking so that we can carry out a procedure, we must hang up the call and in case of doubt, contact us with customer service of the entity to expose the case and that they advise us”.
“It is important”, continues the financial institution, “to remember that a bank will never request personal data, users, passwords or keys through any channel”. Our bank can even contact us to confirm, for security, if we have made a payment or a transfer, but it will never ask us to provide them with any type of personal code.
For its part, the OSI offers the following recommendations:
- Do not provide any type of personal information to strangers who call you saying they are doing so on behalf of your bank or gas and/or electricity company.
- Do checks on the user you are interacting with.
- If when talking to the person, they do not inspire confidence or doubt their authenticity, cut off communication and contact your bank or your gas and/or electricity service provider company through official channels to verify the information and make sure if what is happening is true.
- In case of doubt, consult directly with the entity to inform them of what happened or with trusted third parties such as the State Security Forces and Bodies (FCSE). If you need more information, you can call the INCIBE Cybersecurity Helpline017, free and confidential or contact through the chat channels WhatsApp (900 116 117) and Telegram(@INCIBE017).
If you don’t want to miss any of our articles, subscribe to our newsletters