What is vishing: how to recognize it, and how to protect yourself.

Vishing is a type of phishing carried out by cybercriminals through phone calls or by leaving messages in your voicemail in order to obtain your personal data or to have you install malware. 

It takes the name vishing as a result of combining the terms voice + phishing.

Cybercriminals pretend to be employees of a well-known company to deceive you with social-engineering techniques and to convince you to act as they want.

Usually, you will receive an unexpected call. Since we are used to receiving telemarketing calls with different types of offers, it is not always easy to distinguish vishing.

Vishing calls are very similar to phishing emails, because they use similar techniques:

• you receive an unexpected call, in which they inform you of some problem or make you an irresistible offer by prompting you to act in some way during the same phone call.
• the call comes from a hidden number or from another country (although you will only notice it if they call you on your mobile phone)
• they directly ask you to provide them with your personal or banking data beyond what would be reasonable, or even data that they themselves should already know if it were a genuine call
• sometimes, they ask you to download software to fix a problem on your computer from an Internet link provided by them. 
• if the conversation goes on, you will notice that they are usually foreigners. This is normal, because, in general, to carry out this type of scam, cybercriminals set up call centers in other countries using operators with little command of the Italian language.
• if the call makes you suspicious and you want to ask for more information or discuss other topics, they hang up or try to immediately pick back up on the reason for the call. Their time is precious, and they need to convince you as quickly as possible.

The situations that arise in the call are very different and new variations are constantly emerging. Some typical examples of vishing are calls in which cybercriminals pretend to be: 

• A computer technician: they have detected strange activity on your computer or mobile phone, and ask you to install a program to fix the problem or to fix it remotely. In doing so, they will get remote control of your equipment, and will be able to acquire your data or monitor your devices when you use online banking services, for example. They can also pretend to be a company that offers IT support services to solve your problem, and, when you make the payment, they collect your complete bank details. 
• A bank clerk: during the call, they pretend to be an employee of your bank and report a problem or blockage with your account or card. They ask you to prove that you are the rightful owner by providing complete card or bank account details, so they can check it in their databases. Sometimes, they also ask you to provide them with the security code you just received via SMS, to verify that your phone is working properly. Or for your card PIN. All of this information allows them to make fraudulent online purchases or transfers on your behalf. 
• A representative of a service company (telephone, gas, electricity, etc.): on the pretext that there is an incorrect charge on one of your bills, they ask you for your bank details in order to proceed with the refund of the wrongly invoiced amount.
• A person interested in purchasing a product: if you are offering a second-hand product on the Internet, they show interest in buying it and ask for your complete bank details in order to make the payment.
• Other pretexts that are used are your participation in a contest or a lottery, or the offer of a gift certificate.

In most cases, they do not know it. Cybercriminals carry out their attacks on a large scale, hoping that one of the people who receive their call will fall into the trap and end up providing their data or installing the software.

They usually do not select their victims. In the case of telephone numbers, since they all have the same header code and are consecutive, it is easy to carry out a vishing campaign: Just call one landline phone after another in a certain geographical area or all mobile phones with a prefix established by a telephone company.

Sometimes, they can get more information about a phone number holder via the Internet and social networks. In this way, they acquire some basic additional data, such as your name and last name, the city in which you live, etc., which they use to communicate with you in a more personalized way, therefore making the scam more credible.

La situazione è diversa a seconda che effettuiate voi la chiamata o vi chiamino

The most typical case of vishing is when you receive a phone call. 

The most important thing to know is that receiving a vishing call does not automatically make you a victim of their scam. This only happens if, during the call, you give them your information or agree to install software on your computer. Reliable companies have strict internal codes to not request this type of data or action in phone calls made to their own customers.

When you receive a call, we recommend that you do the following: 

• Be on the lookout, and, if you receive a call that you did not ask for and it denotes some degree of urgency, do not trust it.

• Be suspicious and ask for confirmation beyond doubt: not trusting these kinds of calls is normal, so you do not have to feel guilty. A serious company will be able to provide you with further information on the situation reliably, in order to clarify your doubts. They are the ones who have to give you the information, not the other way around. If you still express doubt, they will give you the opportunity to contact them by other means. 
• Do not provide your personal data when it is requested during a call that you have received. Check what information they are asking you for before giving it to them, and ask them why they want to know, since they should have it already. 
• Never provide secret data, such as usernames, access passwords, or OTP keys you have just received per SMS; card data, such as the number, PIN, CVV, expiration date, or other types of bank details in general.
• Take control of the conversation: ask them questions to confirm if they are the company they say they are and ask if they can provide you with more specific information about you, other than your name and phone number. Test them by not telling them if they are correct or not, and be suspicious if they are inaccurate or avoid giving it "for security reasons." 
• If your suspicions persist, terminate the call immediately. Cybercriminals do not often call back. But, if this happens, let them know that you will be the one to call the contact center and do not agree to let them give you the phone number to call.
• Contact the company they allegedly called you from directly, and confirm the reason for the call and that it actually came from them. 
• Block the phone number they called you from if you suspect it might be a scam, to prevent them from calling you back from that number.

Remember that BBVA will never ask you for your username and password, OTPs received via SMS, card or account details or, more generally, any kind of banking or personal information in a telephone call that you have received from our contact center.

If you are calling the contact center of an institution or a banking service: 

• Make sure you call the correct phone number: If in doubt, you can get it from their website or the official mobile app. Take advantage of this when you become a customer by spending a few minutes to save it in your address book. If you need to call, do not copy the phone number from an email or SMS you have received that seems suspicious to you: it could be a phishing or smishing scam, in which you are redirected to a fake contact center created by cybercriminals.
• Learn to recognize what that company or organization's telephone support service is like: make occasional phone calls to their contact center to find out how they provide you with assistance and information in a way that fosters confidence. Ask questions about your data. In this way, when you call for a request that you have received (email, SMS, etc.), you can compare whether the service you receive that day coincides with the service that you have received before.

Despite everything, there is a possibility that the scam is very well done and you end up providing your personal information, card details, or access passwords.

If so, you must act immediately by following these guidelines:

• Report the problem to your bank. The main banking institutions and bodies have specific channels for reporting these cases with pertinent instructions. Usually, they will ask you to forward the phishing email you received specifying the type of information to provide. They will advise you on the best way to proceed.
• Change your passwords: if you have provided passwords, a card PIN, access codes, etc. modify them as soon as possible.
• Run a virus scan: if you have installed software, uninstall it and use an antivirus to eliminate any malware left on your computer. Do the same with other files you may have downloaded.
• File a complaint: if you realize that you have suffered an economic loss, consider the possibility of reporting it in person to the nearest police station, which can be consulted in the List of Points of Interest by the Police Offices (Police Headquarters and Commissariats).

By knowing what vishing is and how cybercriminals act, you will be able to identify this type of scam more easily and protect your personal banking information.