Imagine calling the hotline of a booking platform or credit provider, talking to a member of staff, giving them your details, and then discovering afterwards that the whole thing was faked. What a nightmare! But that's exactly what happened to AXA customer Laura Zanetti.
Laura Zanetti* from Zurich and her friend Manuela Wyler had been looking forward to two weeks of sunshine, beaches, and surfing in Fuerteventura for months, but Manuela's purse, containing her identity card, was stolen on a tram just a few days before they were due to fly.
Laura Zanetti called what she thought was an airline's hotline to ask whether her friend could still fly from Zurich to Fuerteventura without her ID. The person she spoke to asked her to download an app so that she could enter her details easily and safely. She did so and uploaded a photo of her own ID as well as providing bank details and other personal information.
"I didn't get suspicious at any point. The person I spoke to was very friendly and willing to help, and the app worked perfectly. I found it totally plausible that you should have to provide certain information if you want to fly with no ID."
What the 29-year-old didn't know was that cybercriminals had posted a fake phone number online, claiming that it was the airline's hotline. The supposed call center employee then asked her to enter her details in a fake app.
The fraudsters didn't waste any time. While Laura was still on the phone, they transferred money from her bank account to a crypto wallet they had opened in their own name. A second crypto account was opened on Ramp in Laura's name, but no money was transferred to it.
Fortunately, Laura has personal cyber insurance. AXA helped her to report the theft to the police and shut down the fake crypto accounts, among other things, and also covered the financial loss of CHF 4,781 (less a deductible of CHF 200).
*The customer's name has been changed at her request but is known to AXA.
How did you support Laura Zanetti in this case?
First of all, I advised her to order a new identity card because there's a high risk in cases like this that the victim's identity will be misused for fraudulent activity on the darknet. I also recommended reporting the case to the police and pressing charges as well as requesting a new credit card and having the old one blocked with immediate effect. She should definitely set up two-factor authentication for the new card. I reported the fake accounts on the crypto wallet services Moonpay and Ramp straight away and managed to get them shut down on Ms. Zanetti's behalf.
I also helped Ms. Zanetti to report the fraud to her bank. Professional support and a certain amount of persistence can be really useful here. Banks tend to refuse any liability if they can get away with claiming that the customer was negligent.
Vishing is a form of fraud in which criminals use phone calls to steal personal information from their victims. The term "vishing" is a combination of the words "voice" and "phishing", a type of e-mail and text message fraud.
The personal information obtained – such as bank details, credit card numbers, identity cards, and logins – is used for financial gain.
Psychological support is important too. How can you help in this respect?
Anyone who finds themselves in this kind of situation wonders how they could have fallen for the scam, why their suspicions weren't aroused, and why the cyber criminals chose them of all people. I analyzed this case together with Laura Zanetti and was able to explain how the criminals had duped her and help her feel a little less guilty about the whole thing. She really appreciated this support.
I talked to her about prevention a few days later and made her aware of the various types of phishing, smishing, and above all vishing. These kinds of scams are constantly changing and becoming ever more sophisticated, and there's no end in sight.
We ended up covering the entire financial loss Ms. Zanetti had suffered, which came to CHF 4,781 (less a deductible of CHF 200). I was especially pleased for her because the decision to pay out on her claim was made before her vacation.
How exactly does vishing work?
In technical terms, vishing involves fraudsters using the phone network or VoIP (voice over IP or Internet telephony) technology to hide their true identity and phone number. By making it look like they're calling from a number that isn't linked to their IP address, they can make lots of cheap VoIP calls and potentially harvest a large quantity of data.
Which emotional tactics do fraudsters employ for this voice-based phishing?
The criminals often invent a back-story designed to appear plausible to the victim and prompt them to take immediate action, which usually involves handing over sensitive information. This targeted personal manipulation, employing psychological tricks that exploit typical human behavior, is known as social engineering.
There are a number of different types of vishing scam, but they all follow a similar pattern:
The criminals can use various techniques, including fake phone numbers, pretending to be from an institution that's well known, and making up convincing stories in order to gain their victims' trust. They might also apply pressure and set up scenarios in which immediate action is needed, so their victims feel compelled to respond quickly and give out their information.
How can you protect yourself against vishing?
It's important to be vigilant and never disclose personal or financial information over the phone unless you're absolutely sure you can trust the person you're talking to. If you have any doubts, it's advisable to find the official phone number of the company in question and call it directly to check whether the caller is legitimate.
Genuine organizations will never ask you to provide personal information like passwords and credit card or social security numbers over the phone.
You should also check calls from unknown numbers by searching for the number, and then block it and report it to your phone provider if necessary. Attempted fraud cases can additionally be reported to the National Cyber Security Centre so that other potential victims can be warned and investigations carried out.
At AXA Cyber Prevention Services, we believe that prevention is very important and warn our customers regularly about the latest scams to keep them one step ahead of everyone else.