A prank call where victims are duped into believing they ordered something online has been making rounds on TikTok. But what seems to be a harmless trend, cybersecurity experts warn, is akin to a fraud tactic called vishing.
Vishing, short for voice phishing, is the illegal practice of convincing users to call cybercriminals and reveal personal information, such as their name, address and bank details, over the phone.
But on the short-form video platform TikTok, the vishing schemes have been refashioned “for show.”
The prank calls are usually tagged with hashtags such as #amazonpurchase or #purchaseprank, accumulating over 36.6 million views online.
When a prank victim answers the call, a voice generated by an online translator asks for the victim’s confirmation for an order they supposedly had which amounted to several thousands of dollars. Regardless of the victim’s reply, the automated voice answers them with: “Thank you, your order has been confirmed.”
“People think the answering machine misheard them and that the funds are going to be withdrawn from their account immediately, so they panic, scream, and don’t realize that they are being pranked,” Kaspersky said.
Similar to other phishing schemes, vishing starts with an unsuspecting email supposedly from a well-known online store or payment system. The fake email could, for instance, tell users they have received a request to withdraw a large amount of money from the user’s account.
Kaspersky detected nearly 350,000 vishing emails from March to June combined. As phishing emails reached almost 100,000 in June alone, the highest in the recorded four-month period, the cybersecurity firm anticipated this type of fraud tactic to grow.
While typical phishing emails lure victims into clicking a dubious link, vishing emails instruct them to urgently call the customer support number to cancel their alleged order.
“Under these circumstances, attackers do everything they can to further throw them off balance: rushing them, intimidating them, and demanding that they urgently provide their credit card details to cancel the supposed fraudulent transaction,” said Kaspersky.
Once the cybercriminals get the victims’ bank account details, they immediately use the information to steal their money, it added.
The global cybersecurity company suggested several ways how users could protect themselves from vishing:
- Check the sender’s address. Most spam emails come from addresses that don’t make sense or appear as gibberish, for example, [email protected] or something similar.
- Unsolicited messages from legitimate companies telling you to “verify account details” or “update your account information” should be treated with caution.
- Being wary if the message is creating a sense of urgency. Spammers often try to apply pressure by using this tactic.
- Double check the email body’s grammar and spelling. Typos and bad grammar are red flags.