The bad guys who want to steal your personal information have added a new twist to the “phishing” scam. They’re now using the telephone to capture your account numbers and PIN codes. Fraud fighters call it “voice phishing” or “vishing” for short.
Both scams start the same way, with a bogus e-mail made to look like it’s from your bank, financial institution or a trusted e-commerce site, such as eBay. It says there’s a problem, your account has been disabled and you need to contact them right away to get it running again.
A phisher tells you to click a hyperlink contained in the e-mail – which takes you to a bogus Web site that will harvest your account information. In the new scam, the visher’s e-mail tells you to call a phone number set up to do the dirty work.
In most cases, an automated response system answers the call and tells you to punch in the data the visher wants.
“It is very clever and a bit alarming,” says Bill Rosenkrantz, director of consumer products at the Symantec Corporation, a leading information security company. The fraudsters hope to fool people who know not to click a link in an unsolicited email that asks for personal information. Making a call might seem like the safe thing to do if you don’t realize that number goes to a crook.
Scams need to evolve
Phishing continues to be the number one scam on the Internet. The Gartner Group, a major technology research company, puts last year’s loss at $929 million. The good news is phishing is less effective than it used to be. “The value of phishing is slipping,” says Adam O’Donnell, a senior research scientist at Cloudmark, a messaging security company in San Francisco.
Fewer people are falling for the scam and companies whose names are being spoofed are able to get the phisher’s bogus Web sites taken down very quickly. “So the time put into launching a phishing attack doesn’t have the same payback,” O’Donnell says. That’s why the scam needed to be tweaked.
One of the most recent vishing attacks took place just a few weeks ago. It targeted the customers of Santa Barbara Bank & Trust, a small community bank in Southern California.
It was a simple text message that was made to look like it came from the bank’s online customer service department:
“After three unsuccessful attempts to access your account, your Santa Barbara Bank & Trust Online Profile has been locked. This has been done to secure your accounts and to protect your private information. Santa Barbara Bank & Trust is committed to make sure that your online transactions are secure.
Call this phone number (1-805-xxx-xxxx) to verify your account and your identity.
Those who fell for the pitch and dialed the number heard a simple automated message that said, “Welcome to account verification. Please type your 16-digit card number.” Since we’re commonly asked to punch in account numbers when we deal with financial institutions over the phone, this would not necessarily seem suspicious.
“Their e-mail blast shows a new level of sophistication,” says Paul Roberts, a senior editor at InfoWorld magazine. “It was targeted to people in the bank’s 805 area code. The phone number people were asked to call was also an 805 number. “You’d have to be pretty suspicious not to fall for that one,” he says.
Santa Barbara Bank & Trust is working with the FBI to find out who did this. FBI spokesperson Laura Eimiller tells me they have traced the scheme to computers “inside and outside the U.S.” No arrests have been made. It is not known how much money, if any, has been lost.
Vishing is new and expected to grow. “In the last few weeks, we’ve seen increased attacks,” says Symantec’s Rosenkrantz. “We’ve seen attacks on local and national banks, as well as some online companies.”
Cloudmark’s O’Donnell also expects vishing to take off. “Once a con artist figures out a new way to pull off a scam, it tends to spread very quickly,” he says.
PayPal is one of the big companies being targeted. Sara Bettencourt, a company spokesperson, reminds customers that PayPal “will never ask for your full credit card number or account information via an automated system.”
If you receive one of these bogus PayPal emails you can forward it to email@example.com.
Bad guys are tech savvy
Internet telephone service makes it simple for scammers to get started and harder for them to be detected. It’s very easy to establish a Voice over Internet Protocol (VoIP) phone number very quickly without all the same verification that’s required with traditional phone line.
“You can be in Russia and get a local area code phone number in Seattle very quickly,” Rosenkrantz explains. Victims who call that “local” number have no idea they’re being routed to a distant location via the Internet.
“Use your common sense,” advises Patti Poss, an attorney with the Federal Trade Commission. “What would you do if you were on the street and someone came up to you and asked for your credit card number? You wouldn’t do that!”
Likewise, you should never respond to an unsolicited email that asks for personal information. Don’t click a link. Don’t call a phone number.
If you want to find out if an email from a company you do business with is legitimate, contact them in a way you know is safe. If you call, use the phone number on your account statement. If you go to their Web site, type the URL in the address bar yourself; don’t click a hyperlink.
Before you share any personal information, stop and verify. Because if you do give it up to a con artist, it’s gone, and there’s no way to get it back.