Don't Answer the Phone: Inside a Real-Life Vishing Attack

It started with a phone call around 10:30 a.m. on a Tuesday from an unknown mobile number. I was working on my computer at home and usually don't answer phone calls from people I don't know. For some reason, I decided to stop what I was doing and take that call.

That was my first mistake in a series of several I would make over the next four hours, during which I was the victim of a vishing, or voice-phishing campaign. By the end of the ordeal, I had transferred nearly €5,000 (EUR) in funds from my bank account and in Bitcoin to the scammers. My bank was able to cancel most of the transfers; however, I lost €1,000 (EUR) that I had sent to the attackers' Bitcoin wallet.

Experts say it doesn't matter how much expertise you have in knowing the tactics attackers use or experience in spotting scams. The key to the attackers' success is something older than technology, as it lies in manipulating the very thing that makes us human: our emotions.

"Because we are so tech-centric, we forget that actually these scam tactics are old — predating even Internet scams — and very proven," says Richard Werner, cybersecurity advisor at Trend Micro. "They work with emotions. When they put us in the right mood and trigger anger or fear, we forget all the advice. In those cases, we lose common sense, and there's where [attackers] get us."

As a result, even a cybersecurity expert can fall for a scam, as Werner himself — a 20-year IT cybersecurity veteran — did. A phishing email with a Windows-support themed message arrived in his email just as he was struggling with the operating system not working properly on his machine. Luckily, it was a phishing training exercise that came from an internal source at his company, not one with high stakes.

But as someone who has written phishing exercises for employee training, Werner knows that everyone — from the IT department to human resources — has a trigger that makes them susceptible to a scam under the right set of circumstances.

Red Flags

The scam that tripped me up was one of the common vishing setups currently sweeping across the globe. Even though red flags were going off everywhere, I still stayed on the phone with the attackers for more than three hours and let them manipulate me.

"When it comes to looking at telltale signs that people are being scammed by a voice call, the main question to ask oneself is whether this is a usual method through which they would be contacted, is the person on the other end of the line asking them to do something that is out of the ordinary, is there a sense of urgency, and does it trigger a strong emotional reaction?" says Javvad Malik, lead security awareness advocate at security firm KnowBe4. "If so, then it's most likely to be a scam."

My scam had all of these hallmarks right from the beginning. When I answered the call, an automated message told me that my national identity card (I am based in Portugal) was used in criminal activity and that there was a warrant out for my arrest. If I wanted more information I should press 1. According to Werner, this should have been my first sign to hang up.

"Anything that has to do with technology cannot be trusted," Malik says. In this case, an automated message should have tipped me off. Both alarmed and curious by the pronouncement that I might be imminently arrested, I took the bait.

I was transferred to a man who identified himself as Marco Jose, an officer with the Portuguese GNR (National Republican Guard) in Lisbon. He gave me what he claimed was his badge number and then told me my identity had been used in connection to money laundering and drug trafficking. I answered his questions dutifully, giving up information about myself because I thought I was talking to an officer of the law.

The Setup

Marco went on to say that the police raided a home in Lisbon and found documents connected to numerous bank accounts opened in my name. He also said the police found an abandoned car that had been rented in my name connected to the case, for which he provided a case number.

As I was writing down what he said, questions were flying in my mind and mental alarm bells were going off. Even though I logically recognized his story was full of holes, my emotions were flying the plane at that point.

The very fact that law enforcement approached me via telephone should have made me hang up the phone. If they really were interested in me as a suspect, they would have come to speak to me in person, as a friend and former GNR officer later told me.

Indeed, if someone is contacted by someone claiming to be law enforcement, the best thing to do is say you will call back and hang up. Then look up the contact information for the agency; don't rely on the number provided by the caller, Werner advises.

Instead, I let Marco keep talking, too fast for me to interrupt. He said that even though he knew I was innocent, in the eyes of the law I was implicated in the criminal activity because it was my name and passport being used to conduct it.

I could clear my name by talking to his colleague with the international authorities managing the case and trying to catch the criminals, but only if I assisted the investigation in the way she instructed and followed her instructions carefully. I let Marco transfer the call to Dobra Volska, who claimed to work for the International Court of Justice.

This is where I took another wrong step, as this type of coercion should have alerted me that something was wrong. But my fear had gotten the best of me, and I panicked at the thought of losing even the modest amount of money I had in my two bank accounts. So I continued.

The Closer

Marco handled the setup, while Dobra was the closer.

Dobra's job was to emphasize that in 45 minutes — she was very specific — authorities would seize all bank accounts in my name that were associated with the alleged crimes, but that action would also affect my legitimate accounts, as well. To secure my "hard-earned" funds, she offered to create a "secure digital vault" for all of my assets. I was assured that the government would control the vault only for the time needed to seize the accounts, and that my money would be returned to me immediately after.

Over the next several hours, I did everything this woman told me to do, including sharing my laptop screen, making bank transfers, and downloading various applications — including an app called MoonPay in order to buy Bitcoin. I transferred the cryptocurrency to a wallet controlled by the criminals.

This urgency is yet another clue that I was being scammed, as KnowBe4's Malik says, but I was too frantic to recognize that.

"The scam is wrapped up by instilling a sense of urgency," Malik says. "It requires the victim to take action immediately and, by doing so, can create a sense of tunnel vision from which it becomes harder and harder for the victim to break out of."

That tunnel vision makes the victim unable to get out of the situation, even if he or she desperately wants to, Werner says. I kept asking Dobra to wait, that I needed to think; she reiterated we didn't have time, that we had to act now, and that my accounts would be seized if I didn't do as she said.

Twice I asked for verification that she was who she said she was. Both times, she had me hang up and her "colleague" called me from the actual number of the International Court of Justice in the Hague — clearly the phone number had been spoofed. As I persisted in asking questions and for time to think, Dobra's voice started getting louder and more insistent. At one point she went on a tirade of threats against me that was so vehement that I burst into tears.

"If the person on the phone does not understand that you need time to verify who they are or think it through, then that's a red flag," Werner warns. "Anyone well-meaning will say, 'Take your time, go to the next police station, call your bank,'" and give you time before taking any further action.

Isolate the Victim

Dobra also warned me not to tell anyone — not even friends or loved ones — what was happening because that might somehow implicate them as well in the crimes I supposedly committed. Even worse, they could be in on the scam.

I texted my longtime boyfriend during this ordeal but didn't give any details. I just said I was a victim of identity theft and it was turning into a nightmare. When Dobra warned me to not talk to anyone, I stopped messaging him. He later noted that if I had told him what was going on, he would have told me to hang up the phone immediately.

Had I followed my instincts and kept speaking with my boyfriend, I might have escaped the scam without losing any money, Werner says.

"In the middle of an attack, it's really about getting out of the situation immediately," he says. "Whatever you say, they will have an answer. So if you can, you should stop the situation, get out of it, and try to get someone involved that you trust."

No Shame in Being Gamed

Many parts of my story are similar to the hours-long vishing ordeal that recently ensnared New York Times reporter Charlotte Cowles, where she wound up placing $50,000 in cash in the backseat of a Mercedes being driven by one of the criminals.

She writes about the soul-crushing shame she felt later for having been tricked, something I also experienced in the days after I was scammed. I spent a couple of days beating myself up for doing something so stupid when I should have known better. After sharing my story with friends and acquaintances, I now know there are many victims.

Werner had words of comfort for anyone who has fallen for a vishing or other type of cybercriminal scam.

"Don't be ashamed of what happened," he says. "These [cybercriminals] are very organized. They know exactly how you would act on the other side and how you would act to get out of the situation."

The key advice for anyone — from cybersecurity professionals to people who have never heard of vishing — is to try to avoid even engaging from the outset, so the psychological games the scammers play can't be used against you, experts say. If someone receives a call that seems suspicious or even confusing, ask some questions first before answering or believing the story of the person calling.

Training people to spot all of the red flags that I ignored can help them avoid falling prey to compromise, as can advising them to contact someone in a corporate security team immediately if they receive a suspicious phone call or encounter unexpected online activity.

"It's important that employees are provided with easy and reliable methods to report any suspicious phone calls or other activities so that the security teams can get involved where needed," Malik says.