Mark Bassingthwaighte, Esq.

Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, the
nation’s largest direct writer of lawyers’ malpractice insurance. In his tenure with the
company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented numerous continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. Mr. Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School.

Criminals have been using phones to try to scam people out of money or into disclosing personal information for years and they have tended to find success with victims who were not very tech-savvy.  Unfortunately, change is afoot.  Today, the practice of making phone calls or leaving voice messages purporting to be from a legitimate company in an attempt to persuade a callee into doing something that is not in their best interest is known as vishing, which is a term that combines the words “voice” and “phishing.”

Vishing attacks take phone scams to a whole new level of sophistication by making it more difficult for even tech-savvy folks to recognize the scam.  In part, this is because criminals now have the ability to make it appear as if they are calling from any phone number they wish in order to try to convince a callee they are calling from an organization the callee would normally interact with.  Making matters worse, due to the amount of information available on social media websites coupled with the vast amount of personally identifiable information that has been stolen via cyberbreaches like the one that occurred with Equifax, criminals have all the information and tools they need to try and perpetrate a very convincing scam.

Perhaps an example is in order. Suppose you receive a call from someone claiming to be from your bank.  The caller is quite pleasant and professional.  She’ll tell you there has been some suspicious activity in your account and she will also accurately provide a little personally identifiable information.  Here’s a typical script.  “I’m calling from [your bank]. Someone’s been using your debit card ending in 8774. I’ll need to verify your Social Security number, which ends in 3006.  Is this correct?  Now, if you will provide me with your full debit card information, we can stop this unauthorized activity.”  If you were to receive such a call, how do you think you might respond? Let’s change the facts just a bit.  The call was received by an employee at your firm and the account of concern was the firm’s trust account.  How do you think your employee might respond?

Here’s what’s actually going on.  The number displayed on caller ID will be the correct phone number of your bank; but that information is misleading.  The criminal will use a program that allows her to display the bank’s number on your caller ID even though the call will be placed from a different number.  In addition, and prior to calling you, she will also determine where you bank and obtain whatever personally identifiable information she can find on the Internet.  Finally, by acting quite concerned and professional she will hope to convince you she is the real deal.  If she is successful with that, the odds of you assisting her in accessing your account in order to remove the suspicious charges and authorize the sending of a replacement card are pretty good.  Should you in fact do so, you will have just turned over complete access and control of your hard-earned money to someone else.  And again, if the attack successfully targeted a firm employee and the firm’s trust account, things are going to be a whole lot worse.

There are a number of steps one can take to avoid falling prey to these types of scams; but the most important one is this.  Just because someone has personal information about you doesn’t mean you can trust them, so never volunteer information or assist someone in accessing any account, financial or otherwise, if you didn’t initiate the call.  The best course of action would be to say thank you, tell them you will call back, hang up, and call the bank yourself in order to determine if something is amiss.  Now that you know, make sure everyone else at your firm knows as well.