Vishing: Scamming by Phone
Identity theft information is contained on three pages:
Report Identity Theft
If you have been a victim of identity theft (or suspect you have), contact the police to report identity theft.
Don't let embarrassment keep you from talking to the authorities. If you were the only victim, identity theft wouldn't be a growing problem.
The sooner you report the potential identity theft, the sooner you can begin to resolve the issue.
What is Vishing?
Vishing (phone scams) are a form of phishing where only the voice is used to deceive.
Indeed, vishing may be considered a type of phishing, whereas phishing itself is a catchall term for a range of attacks that aim at stealing sensitive information.
While vishing attacks center solely on the use of voice to scam others, phishing scams can use a variety of methods, ranging from voice and text messages to fake emails and websites.
These calls can be intimidating and frightening.
They use volume, aggression and sophistication to achieve their goal of taking people away from their money. Their entire approach is to cause harm, cause fear and get people not thinking, get them reacting and not in control.
— Times Colonist
How it Works
It starts with a phone call where someone claims to represent a well-known business (often Microsoft) or government agency (usually the CRA or RCMP).
The caller may insist that your computer is infected and they want to gain remote access to your computer to “fix” the problem.
The “CRA” or “RCMP” caller will say you are about to be arrested, but they can help you avoid the pending arrest by providing funds.
Your Social Insurance Number is particularly hard or impossible to replace and is a key to perpetrating fraud. This person provided hers to a fraudster that appeared to be calling from a courthouse using fake caller ID (he told her to Google the number as proof of his legitimacy):
At the start of the call, there was a generic robotic voice supposedly from the Service Ontario Justice Department that told me my SIN has been flagged for two fraudulent charges and ignoring this could lead to legal ramifications and serious jail time.
— Toronto City News
There is a similar scam where the “local police” or a “bank inspector” ask you to take out a large sum of money from your bank account to “catch an embezzler.”
In either case, you are being scammed. Just hang up.
Don't Provide Information
The caller will generally ask you to provide your account numbers or other key information to “prove your identity.”
This request should make you suspicious.
Because you did not initiate the call it is up to the caller to prove they are legitimate (something they cannot do).
Just hang up and call back using a legitimate number (i.e., from a statement of invoice you regularly receive). Do NOT use any number provided by the caller.
Don't Provide Funds
When the intent is to obtain money from you, they may use the threat of impending arrest or an audit.
Payments are always via untraceable methods like Bitcoin or gift cards (they ask you to provide the characters revealed by scratching the card's redemption code).
Remember, if you were going to be arrested, the police would be at your door, not calling you.
The safest thing to do is to just hang up.
Most Common Scams Using the Phone
There are two general ways that the telephone is used in perpetrating scams and identity theft.
The Direct Call
The most common are phone calls made directly to your phone number. These are attempts to con you into providing:
- personal or account information they can use to hack your accounts; or
- untraceable funds via access to your bank accounts or credit cards; or
- access to your computer which will allow them to install malware and look for personal information.
The Fake Support Number
The other method is to create a fake error message listing a phone number for you to call for “help” in dealing with the popup error message.
When you call that number, you will be talking to a scammer somewhere overseas (any website they send you to can be faked).
Microsoft cannot remotely detect viruses on your computer (that is the job of your security software) and NEVER provides a phone number in legitimate error messages.
Phone scams include bogus “computer support” calls, offers of “free” vacations, solicitations from fake charities, threats from fake collection agencies, and calls threatening arrest.
Phone scams are no joke. Scammers target millions of Americans every year via robodialers and many people fall victim as they are threatened with arrest warrants or guaranteed free vacations.
These scams are perpetrated on innocent victims every day:
- Beware of these 8 common telephone scams.
- Phone phishing scams now targeting Social Insurance Numbers.
These Callers are Thieves
The purpose of their call is to steal from you — your money; your identity; your trust. Learn how to protect your identity.
When someone approaches you, remember they always want something.
— Frank Catalano
Don't be the next victim! Don't engage the caller. Just hang up.
Let Unknown Numbers Go to Voice Mail
Fraud experts recommend that you let all unknown numbers go to voice mail, even if they appear familiar. Scammers use fake caller ID so the number appears to be a local caller or a legitimate business.
Any of these warning signs indicate that you're probably dealing with a scammer:
- A “computer support” call telling you that your computer is infected.
- They tell you to use the “Windows” key in combination with another key to navigate your computer.
- A call offering a better credit card rates.
- A call offering a special discount or an unexpected prize.
- A call from a “CRA officer” or “Canada Border Services” threatening imminent arrest.
- A call telling you your Social Insurance Number was flagged.
- A call telling you that large purchases have been made to your credit card.
- Most robo-call offers.
Threats of “Arrest Warrants” are Bogus
In some of these scams, the caller states that an arrest warrant has been issued, but they can stop it if you comply with their monetary requests.
If there was a warrant for your arrest, the police would be at your door, not having a “CRA officer” or “police officer” call you.
Just Hang Up
Don't respond. Just hang up.
The Caller Has No Authority
You don't need to fear these calls.
One lady was scammed for thousands of dollars because “the caller told me I couldn't hang up.”
Callers Need to Prove Their Identity
Be wary of any calls you didn't initiate.
If YOU contact your bank or credit card company, they need information to identify you. This is normal. Just be sure you obtain that contact number from a trusted source such as a recent invoice or statement.
However, if you DIDN'T initiate the call using a reliable source for the phone number, the caller has no right to expect you to provide such information.
The party placing the call is always the one that has to prove their legitimacy.
Credit Card Scams
Notice that scam phone calls about “your VISA and MasterCard account” immediately ask for your credit card number?
- It is rare for financial institutions to offer both VISA and MasterCard.
- They would identify themselves by institution, not credit card.
- They should never expect you to provide your credit card number if they called you.
If you have concerns about your credit card(s), call the number on the back of the card or visit your bank in person.
Calls from Canada Post?
Fraudulent phone calls are circulating from “ Canada Post” asking for personal information including your Social Insurance Number to obtain your delivery of a wrongly-addressed package.
Canada Post doesn't have your phone number, cannot confirm your identity via a Social Insurance Number and will simply return the package to the sender.
Don't Provide Information
NEVER either confirm or provide any information to an unknown caller (especially when asked to prove who you are).
- Never give out personal information
- Never give out your Social Insurance Number (SIN).
- Never confirm or correct information.
- Never provide credit details or a credit card.
- Never provide a blank or written check.
From a financial perspective your tax information as well as your entire credit profile including your history and credit score and connected to your SIN.
— Toronto City News
Recovery of a lost SIN is difficult and doesn't prevent the older number from being used fraudulently.
Never give any personal information, such as a Social Security number, to a caller unless you're positive he or she is a legitimate representative of a company with which you regularly do business.
If there's any question, ask for the caller's full name, title and department and tell him or her you'll call back.
Use the business's phone number as posted on its website or, better still, on any snail-mailed statement or correspondence you've received from the company.
— Check Point blog
Be wary when calling back a missed number, particularly if it only rang once. Calls to “regular” numbers in certain (mostly Caribbean) countries can be treated like 900 “pay-per-minute” numbers.
Credit Card Scams
Credit cards are involved in most of these scams in one way or another.
Remember, these are seldom legitimate calls. Thieves are trying to con you into giving up your credit card details.
The callers may try to scare you into believing your card has been compromised.
An automated call says there are suspicious charges on your card. Usually fairly large purchases are mentioned.
New Lower Rates
Alternatively, the calls entice you with exceptionally low rates.
These calls usually mention “VISA and MasterCard” rather than the specific card or the financial institutions they are calling from.
They Ask You to Verify Your Identity
Even though they called you, you'll be asked to provide your credit card details, plus your name, address, etc. “to prove who you are.”
Instead, they'll use that information to
- purchase items using that card's number; or
- establish additional credit cards in your name.
These calls begin by telling you that you've won a lottery or some other significant prize.
Here's the catch: you need to pay shipping and taxes or other fees before the prize is delivered.
- Prizes are not taxable in Canada and there should never be any shipping or handling fees regardless of where you live.
- It is highly unlikely that you won a contest you don't remember having entered or even know about.
CRA “Threats of Arrest”
This is a particularly scary call. A person identifying themselves as a CRA officer states that you owe a great deal of tax and a warrant is being issued for your arrest unless you can pay the officer.
- You would be notified by mail or email of any amount outstanding on your taxes long before this point using official CRA communications.
- If there was a reason to arrest you, police officers would be at your door.
The Canada Revenue Agency will never call and use nasty language or threaten a customer. They will also never ask for credit card information, personal information by email or text, or request your social insurance number or ask for bank account information.
— CTV News
The newest variation appears to be calls from your local police threatening arrest.
Scammers have defrauded Canadians out of tens of millions of dollars over the past decade pretending to be collecting back taxes with the Canada Revenue Agency — but police are warning of a new twist on the old scam.
The scammers are pretending to be officers with local police forces, investigators said.
The thieves are also using caller ID spoofing so it looks like the call is coming from a police phone number.
— CTV News
“Can You Hear Me?”
Your response to “Can you hear me?” or similar questions that elicit a positive response can be recorded and used as “proof” you ordered a product or service.
I answered the phone. They said: “Hi my name is Matt on a recorded line and I'm with Health Source. Can you hear me okay?” I said: “Yes” They then hung up.
— as reported to BBB.org
These are known scam techniques. Don't respond. Just hang up.
- They call early in the morning or late at night when you're less alert.
— This is illegal in Canada.
- They claim to be with Microsoft, the CRA, IRS, etc.
— This is called transfer of trust.
- They request that you confirm your account number or other details.
— That information will be used for identity theft.
- They ask for remote access to your computer to fix a virus.
— They will download and install malware or ransomware.
Remember, they called you! so it's their identity that is unconfirmed.
For more information, try these resources:
- The Canadian Anti-Fraud Centre lists the most common scams.
- What to expect when the Canada Revenue Agency contacts you.
- IRS tax scams & consumer alerts
- Spot a business or offer that sounds like a scam? BBB Scam Tracker.
- Spot a business or offer that sounds like a scam? Tell the Better Business Bureau about it.
Beware of “Computer Support” Calls
I'm calling from Microsoft…
No, they aren't. They are scamming you!
Just Hang Up!
ANY phone call from a “technical support” person saying that you have a problem with your computer is a SCAM! Just hang up.
If they had the ability look into your computer to see errors, they could have fixed them without calling you.
If you get such a call, don't panic. Stop and think it through.
The caller may attempt to “prove” they are legitimate by getting you to visit their website. Don't!
These callers are criminals regardless of what their website indicates and located in countries where prosecution is difficult or impossible.
Globally, about two-thirds of the respondents had encountered a technical support scam. About one in five had been duped -- allowed the scammer to continue his or her story -- and nearly one in 10 had actually given money to the fraudster.
They called you to tell you about problem you weren't experiencing.
What If It Was Legitimate?
If you have reason to believe the call is legitimate, hang up then look up the number from legitimate source such as a recent invoice or statement from that company then call them back using the number printed on those documents.
In most cases, the company won't know what you're talking about.
If it was a genuine support call, they will understand your reasons for hanging up.
Tech Support Scams are Costly
The caller will attempt to convince you that your computer needs fixing then charge you for this unnecessary “support call.”
Telephone scams return around $470 per call. Thanks to robocalling (automated calling), number finding technology, and fake caller IDs, scammers fool more people than ever before.
Given how much money the scam makes, and how little call centers pay (e.g., Indian call centers pay around $2 an hour), your decision to "keep them on the line" really isn't helping anyone.
The unspecified expenses will come later:
At first I hung up on this call, then he kept calling so finally I thought maybe this is legitimate. He proceeded to tell me my computer was at a security breach and he would clear it for me.
He also said he was from Microsoft and that it would not cost me any charges. After about 3 hours of calling back and forth I ended up $1,999.99 ripped off.
— as reported to BBB.org
What Actually Happens?
Most of these calls have two goals:
- To bill you excessively for unnecessary services.
- To gain access to your computer and steal your personal information.
They will make your computer less secure.
In addition to selling you bogus security software, the scammers will attempt to locate and download personal information that can later be used for profit.
When give the scammers access to your computer, they will download your personal information and data, including your passwords, banking info and other financial information. They use this data to steal money from you, potentially blackmail you, and even steal your identity.
One trick is to have the victim click on the Windows Key + R keyboard combination to bring up the Run command, then have them type in “msconfig” (they'll spell it out) to open System Configuration then click on the Services tab:
They scammer will point out the stopped Microsoft services, calling these “errors” and telling you that your computer is about to crash. It isn't.
This is NORMAL, but most users are confused by the use of the keyboard commands and immediately feel out of their depth.
They Want You to Panic
The use of this intimidating technique is intentional. The caller wants you to panic so that you follow their advice without thinking about it.
Now they'll get you to enter the same Windows Key + R keyboard combination, then www.google.com (which opens Google) and have you search for an older (insecure) version of TeamViewer.
Designed to Confuse
This is different that the way most users would approach a search by using their mouse to open their primary browser then enter a generalized search term that would bring up a current version of TeamViewer. Again, this is intentional and designed to confuse you.
NOW They Have Access to Your Computer
When installed, this insecure (vulnerable) program will provide the caller with remote access to your computer.
This older program lacks any of the newest security measures which makes your computer vulnerable to their attack on your system.
They Don't Know You
Remember, the caller has no advance information about your computer. All they have is their bag of tricks to try to scam you and access to your social media (watch what you post!).
- Never provide remote access to your computer via TeamViewer or any other product based upon a phone call, email or any unexpected popup warning on your computer.
- Never follow instructions to navigate to folders or type any instructions via your keyboard.
- Never provide nor confirm any personal or computer information (including passwords, software versions or serial numbers, credit card numbers, etc.).
- Never visit websites or install software suggested by an unknown caller.
Your best option is to hang up without saying goodbye and without following any of their instructions.
Providing Remote Access is Dangerous
My policy is to disable remote access for my clients and not provide remote service.
I don't want my clients trusting remote access because I serviced their computer remotely in the past.
Remote access or unknown software can allow the remote user to do ANYTHING on your computer, including installing nefarious software or stealing your personal information.
If you follow their advice, you'll waste your money on software that won't help protect your computer.
Worse, it will make your computer more vulnerable and you'll become a victim of identity theft for which you'll foot the bill.
Don't be a victim! Just hang up.
Have You Allowed Access to Your Computer?
If you fall for such a scam, immediately shut down the computer and call a local service technician you can trust.
Scammers cannot access your computer or its data if it is shut down.
Because you can never be certain that your computer is safe, you'll need to have the hard drive wiped then a clean install performed.
A service centre can perform these tasks safely (or you can hire me):
- The computer's drive can be removed and data can be recovered without turning on the computer.
- The drive can then be wiped, followed by a new installation of Windows (or macOS, Linux, etc.).
- Current security software can be then installed and updated to protect your computer and data.
- Data can then be restored.
- Programs can then be installed for which you can provide a licence.
Depending upon the service and their history with you, they may be able to do a more personalized install. Unfortunately, there is no way to simply clean up the computer and know that it is safe after scammers have had access.
I suggest you be very selective in what software you choose to restore to your newly cleaned computer or device.
Cleanup is Costly
Yes, this is going to cost you but at least you'll be able to minimize future potential damage caused by providing access to unknown parties. It cannot prevent the use of material already stolen during the time the scammer had remote access to your computer.
Microsoft estimated the cost of cleaning up after a successful scam at $875.00 (and that was in 2011). More on these sites:
- Report a technical support scam to Microsoft.
- Scammed by Wowser E Services? Here's what to do.
- Stay Safe Online's blog has tips and news about keeping your computer and family safe online.
- Tech support scams — from Microsoft.
- Protect yourself from tech support scams.
- Cold call tech support scams increasingly common.
- How to protect yourself from scammers (CRTC).
- ‘We're with Windows.’ The anatomy of a cold-calling scam.
- Avoiding tech support scams — from Microsoft.
- Listen to a scam computer virus call.
- 15% received a call (22% of those fell for the con).
Don't be the next victim! Just hang up.
If You've Become a Victim
If you become a victim, it will probably take you hundreds of hours and an average of $1,000 to recover from ID theft. Even worse, some innocent victims have ended up in prison because identity thieves have committed crimes in their names.
If you've fallen for one of these scams, don't be embarrassed. If you were the only victim, the crooks would be out of business.
Report the Crime
However, you do need to take some immediate measures to limit the damage, starting with reporting the crime.
Have Your Computer Checked
If your computer was accessed, take your computer to a trusted computer professional to assess the damage. Service personnel can look for the signs of problems but no one can guarantee the computer is clean under these circumstances.
In some cases the computer many need to have a clean install (data backed up, operating system and software reinstalled, data restored) to ensure the computer is not infected.
Change Your Passwords
Your passwords may be compromised. Notify the companies involved and immediately change ALL your passwords.
Notify Financial Institutions and Police
If you provided a credit card or banking details, you'll need to immediately notify those financial institutions.
Notify the police to report the potential identity theft and contact the Canadian Anti-Fraud Centre at 1-888-495-8501 to report that you've probably become the victim of identity theft.
Microsoft issued a warning on tech support scams:
- Be wary of any unsolicited phone call or pop-up message on your device.
- Microsoft will never proactively reach out to you to provide unsolicited PC or technical support. Any communication we have with you must be initiated by you.
- Do not call the number in a pop-up window on your device. Microsoft's error and warning messages NEVER include a phone number.
- Never give control of your computer to a third party unless you can confirm that it is a legitimate representative of a computer support team with whom you are already a customer.
- If skeptical, take the person's information down and immediately report it to your local authorities.
Error Messages with Phone Numbers
NEVER call phone numbers listed in error messages. Instead call your local tech support person or hire me.
Legitimate Errors Lack Phone Numbers
Microsoft's warnings will NEVER include a phone number. Neither will Mozilla's.
If a recovery phone number is displayed, you're seeing a scam. NEVER call that number.
Unexpected Error Messages
Unexpected error messages like these or dire warnings are NEVER legitimate. They are generally malware designed to trap you into expensive service contracts that are scams.
More About Suspicious Popups
Beware of suspicious warnings or popups on websites and on your computer.
- You suddenly hear an audio-based warning that your computer has been infected. There doesn't seem to be any solution other than to follow the instructions.
- A website reports that your Windows licence key has been corrupted.
- A red box popup up stating that there is a Firefox critical error telling you to call a number.
- A blue screen appears stating that Microsoft Windows has detected some suspicious activities on your computer, listing an error code and a support number.
If you're having difficulty closing a popup, see popup warnings that won't go away for solutions.
Remote Infection Detection Unlikely
There is no current technology for websites to determine if your computer is infected with malware or viruses.
However, Microsoft and other agencies may run “honey-pot” programs that collect information about spam emails.
If your email is involved, they are unlikely to call or email you (they may disable your account at the server level).