Don’t Fall for the Call: What Lawyers Need to Know About Vishing Scams

              For years, criminals have been using phones to try to scam people out of money or into disclosing personal information and they have tended to find success with victims who were not very tech-savvy. Today, however, cybercriminals are using vishing attacks to up their game. Vishing is a short way of saying voice phishing. It’s a type of social engineering scam where cybercriminals use the phone to impersonate trusted entities such as banks, government agencies, vendors, and even your own IT support. Their goal is to use real-time manipulation and emotional pressure to trick victims into enabling the download of malicious software or revealing sensitive information, like login credentials, credit card numbers, or bank details.

              Vishing attacks take phone scams to a whole new level of sophistication by making it more difficult for even tech-savvy folks to recognize the scam. In part, this is because criminals can now use spoofing tools. Such tools allow them to make it appear their call is coming from a recognizable phone number hoping the callee will believe they are calling from an organization the callee would normally interact with. Making matters worse, due to the amount of information available on social media websites coupled with the vast amount of personally identifiable information that has been stolen via cyberbreaches like the one that occurred with Equifax, criminals have all the information and tools they need to try and perpetrate a very convincing scam. Perhaps several examples will help elucidate the seriousness of the situation.

              The first example concerns a partner in a small estate planning firm who received a call from someone claiming to be with the firm’s IT service provider. Using a spoofing tool, the correct company name and number appeared on his caller ID display. The caller calmly explained a security breach was traced back to the firm’s IP address and there was some unusual activity on the firm’s email server which needed to be stopped. The caller asked the lawyer to log in to the network and open a link the caller sent via email so that a security patch could be installed. The lawyer, concerned about unauthorized access to client data, followed the caller’s instructions to include eventually giving the caller remote access to his computer so the caller could finalize the security update. The end result was this lawyer’s actions not only allowed a criminal to install spyware on the lawyer’s computer, but within an hour they enabled the criminal to begin using the lawyer’s email account to send phishing emails to firm clients.

              The second example concerns an associate at a family law firm who received a call purportedly from a representative of the state bar’s disciplinary board. The caller shared that a complaint has been filed against the lawyer and referenced legitimate bar rules and disciplinary procedures. The caller went on to explain that due to the nature of the allegations and in order to initiate the processing of the matter, the lawyer needed to immediately confirm her identity while also sharing that a failure to cooperate would be noted and could even result in an imminent suspension. The caller then asked for the associate’s bar number, date of birth, and the last four digits of her social security number. The end result was this criminal was able to use the stolen information to impersonate the lawyer in an attempt to defraud “clients.”

              The final example involves a call from someone claiming to be from a lawyer’s bank. The caller was quite pleasant and professional. The caller shared that there was some suspicious activity in the lawyer’s personal account, and also accurately provided a little personally identifiable information. The call went something like this: “I’m calling from [lawyer’s bank]. Someone’s been using your debit card ending in 8774. In fact, one of the charges is for $1473.82 on Amazon. I’ll need to verify your Social Security number, which ends in 3006. Is this correct?” The lawyer responds yes. “Thank you. Now, if you would provide me with your full debit card information, we can stop this unauthorized activity.” Because the personally identifiable information was accurate, the lawyer did provide the information believing the caller would remove the suspicious charges and immediately authorize the sending of a replacement card. Unfortunately, the lawyer’s actions resulted in giving complete access and control of the lawyer’s hard-earned money to a criminal who emptied out the lawyer’s checking account while still on the phone with the lawyer.

              There are a number of steps one can take to avoid falling prey to these types of scams; but the most important one is this. Never volunteer information or assist someone in accessing any account, financial or otherwise, if you didn’t initiate the call. Just because someone shares accurate personal information about you doesn’t mean you can trust them! The best course of action would be to hang up and call them back using a phone number you've verified independently (e.g., from their official website, a bill, or a statement) to determine if something is amiss. Never use a number the caller provides. Additional steps to take include the following:

• Always be wary of unsolicited calls. Legitimate organizations, such as banks or government agencies, typically won't call out of the blue and ask for sensitive information. If you receive an unexpected call, especially one with a sense of urgency or is coupled with scare tactics, you should become suspicious. Stop, take a breath, and think logically. Remember that legitimate organizations don’t use such tactics.
• Also be wary of voicemail. Voicemail can be used as something of a Trojan Horse. In short, scammers often leave voicemails that sound quite credible, prompting call-backs that initiate the real con.
• Trust Your Gut. Be aware that emerging AI voice cloning tools allow scammers to mimic voices, adding a layer of realism that’s hard to detect. So, if something about a call (or voicemail) feels off, trust your instincts and hang up. You are not obligated to continue the conversation. Pay attention to details like poor call quality, unusual background noise, or a robotic-sounding voice, which can be signs of a scam.
• Don’t trust Caller ID. Scammers can spoofed numbers to make it look like they’re calling from your bank, the IRS, or even a family member.
• Use two-factor authentication on every personal and work account that makes it available. This adds an extra layer of security, making it harder for a scammer to access your accounts even if they obtain your password.
• Conduct mandatory training on these types of scams. Anyone at your firm could be the target of a vishing scam, thus everyone must be taught how to recognize and respond to vishing attacks. The goal is to create a healthy culture of skepticism toward unsolicited requests for information or actions.