Philadelphia attorney Gary Schildhorn testified before a panel at the United States Senate recently, describing how he was a victim to a vishing scam. The details behind his story should serve as a warning to business leaders and savvy professionals, as no one is immune to these elaborate scams.
When Schildhorn was on his way to work as a corporate attorney when he received a troubling phone call, seemingly from his son.
“He was crying. He said, ‘Dad, I was in an accident. I hit another car being driven by a pregnant woman. My nose is broken. They arrested me, I’m in jail,’” Schildhorn recounted to the Senate panel.
Schildhorn said he had no reason to suspect it wasn’t his son on the other line, as it was his son’s voice. His son begged for help, saying he had been assigned a public defendant named Barry Goldstein that Schildhorn should call immediately. As an attorney, he was not alarmed by any of these legitimate-sounding legal proceedings laid out for him.
“I’m a father. I’m a lawyer. My son was in trouble, a pregnant woman was hurt, he’s in jail—I’m in action mode,” Schildhorn said.
This scenario is what cyber experts call social engineering, or the capitalization of human error by manipulating victims to give away money or information against their better judgment.
The next phone call he received after hanging up was from the “public defendant” Barry Goldstein. Goldstein repeated the same details Schildhorn’s son has just relayed. He added that Schildhorn’s son (Bret) had failed a breathalyzer test at the scene, leading to his arrest.
This seemed odd to Schildhorn, since this was out of character for Bret to drive under the influence. Goldstein explained it away, saying Bret had an energy drink before driving which may have led to the failed test.
Within minutes, Goldstein had Schildhorn prepared to wire the fraudulent public defendant $9,000 to bail his son out. Claiming to be on his way out of town soon, Goldstein created a sense of panic and urgency for Schildhorn to transfer the partial bond payment as soon as possible. Schildhorn’s fear and protective instincts to help his son nearly led him to send the money with no questions asked.
Just before wiring out the money, Schildhorn decided to reach out to another family member to tell them what was going on. This simple action began to reveal cracks in the story he had been told.
After reaching out to his daughter-in-law to contact Bret’s work to inform them, she reached out to the real Bret directly. Bret then video-called his father and let him know he was fine, and that his father had been scammed.
This elaborate vishing scam was specifically tailored to Schildhorn and his family. This should raise concern with anyone, regardless of how immune to scams people think they are.
“I have been involved in consumer fraud cases in my career, and I almost fell for this,” Schildhorn said.
Vishing is getting more and more sophisticated, and this case is a perfect example. Schildhorn’s scammers utilized many of the common tricks that vishing and other types of fraudulent attacks utilize, including:
The entire interaction between Schildhorn and the scammers only lasted around 2-5 minutes. That’s how quickly vishing attackers can trick you into sending money, giving them personal information, or compromising a business network.
However, Schildhorn did the right thing by reaching out to a third party. There are several other ways to fight against vishing scams, and here are a few of them.
The best way to tell if you’re speaking to the real person is to call, text or otherwise use an alternative method of contacting the person. If you get a troubling phone call similar to the one Schildhorn received, verifying that it is actually the person can separate scams and real-life emergencies.
Family emergencies do happen, so if it’s actually your loved one they will likely have no problem with you contacting them in a different way to verify.
Another way to verify if a phone call is real or vishing is to create a code word or phrase that only you and your loved one(s) know about. Asking for this code is a quick way to see if the person on the other line is really your loved one or a criminal looking to trick you with AI voice generation.
In Schilhorn’s case, his “son” insisted he could not be called back since he was calling from a phone at the jail and authorities had confiscated his device. This was a clever way to keep him from texting or calling his real son’s cell, which would give away the scam.
This is why even if you’re told not to, try the person’s cell phone anyway or call a third party before doing anything. Schildhorn calling another family member led to the scam to be revealed, and it can help you in the event of a potential vishing attack.
A simple way to avoid phone scams is to ignore or set your phone to send unknown numbers straight to voicemail. Some carriers also let you know if a call is from a legitimate source or from a possible spam number.
When vishing scammers call you, they will often tell you not to call them back due to the services they use to generate fake phone numbers. The bottom line is, if the number is not recognized by caller ID it should immediately raise suspicion.
To learn more about how to avoid falling victim to a vishing attack, read our blog: Ask The Expert: Vishing, Phishing, Smishing – What You Need to Know.
Learning about the common traits of cyber scams can help to protect yourself and your business. Using knowledge about these tricks can help you train your employees as well.
You should be conducting regular trainings on email safety including phishing training, and you can learn more about email security tips in our blog: Top 6 Email Security Tips for Employees (usherwood.com)
If enhancing your business’ cybersecurity seems confusing or overwhelming task to you, you’re not alone. Cyber criminals get better at what they do every day, so it is advisable to speak to an IT expert that can partner with you to create a plan. To speak to an experienced IT professional about getting a tech evaluation, click the button below.