A new mutation of the old phishing scam has recently surfaced. Like thousands of previous phishing e-mails, this bogus bank notice asks for your personal information. But in a strange and novel twist, it tries to turn your own phone against you.
The e-mail I saw appears to be from Bank of America. “During our regular update and verification we could not verify your current phone number,” it says. You are told to confirm your phone number right away "or your account will be suspended indefinitely."
Then you’re instructed to forward your phone to the number provided. It’s supposedly the phone number for the bank’s security department. “Bank of America will verify your phone number and will disable call forward within 20 minutes,” the e-mail says.
Don't do it! Don't do any of it. This e-mail is not from Bank of America and that number does not go to their security department. It’s a Skype number that goes straight to the identity thieves who can be anywhere in the world.
This new phishing scam was spotted by Mal-Aware.org, a group that focuses on malicious activity on the Web.
“This is the first one we’ve seen that is specifically focusing on forwarding your phone number,” says Mal-Aware’s founder, Lance James.
If this new twist works, James says we’ll see similar messages pretending to be from other financial institutions asking people to forward their phone number.
After an identity thief steals your credit card number, he needs a way to make money with it. He can charge things or sell the number for others to use. In either case, once the charges start piling up on your account, the bank’s computers are likely to flag these abnormal or “out of profile” transactions and alert the fraud department.
If the bank calls to find out if you’re really making all of these purchases and your phone number is forwarded to the bad guys, the crooks can pretend to be you and say everything is OK. It buys them more time to run up the tab before the card is shut down.
Mal-Aware’s Lance James tells me there’s another way a credit card hijacker can make money with your account number. They can use it to wire money to themselves or an accomplice.
When the ID thief calls Western Union or some other wire transfer service, he’ll use spoofing caller ID to fake your phone number. In other words, it will look like the call is coming from your phone. When the money transfer service calls to verify the transaction, as many now do, they’ll call your number, which is forwarded to the crooks who will approve the transfer.
The Anti-Phishing Working Group, a consortium of hundreds of banks, e-tailers, technology companies and government agencies, warns that a growing number of phishing attacks are being designed to steal your personal information by downloading crime-ware onto your computer. They do that when you click the link that’s embedded in the phisher’s e-mail message, the one that’s supposed to take you to the financial institution’s Web site.
“If they can get this software onto your computer, they don’t have to work so hard to fool you,” explains the APWG’s Secretary General Peter Cassidy. They can monitor your online transactions and snag what they want without your knowledge.
“If the crime-ware recognizes a bank that’s a target of their interest, it will intercept the user’s name and password,” Cassidy says. “The crime-ware can literally take what the phishers need to propel their enterprise.”
Cassidy says APWG has now seen malicious software that can scan a user’s name and password for more than 350 different financial institutions.
How can you protect yourself?
Phisher scams continue to flourish because they work. They work because they catch you off guard and go for your gut.
“It’s not a stupid person, it’s a distracted person,” Cassidy says. “It’s a person who’s tired, who’s been jumped with something that looks really good and is hard to tell from the real thing.”
To fight back, you need to slow down a bit when you’re asked to rush and do something potentially dangerous, such as transmit your personal information.
“If someone wants you to go fast, ask why,” Cassidy urges. “Ask what would they gain from that?”
If you get an e-mail that seems a little strange and you want to find out what’s really going on, go to the real company’s Web site and contact customer service or the fraud department.
Don’t use a link in an e-mail. It could take you to a bogus site that looks just like the real one. Type in the URL yourself.
Don’t use a phone number provided in an e-mail. It could be a fake. If you decide to call the bank or financial institution, look up the number yourself.
Remember: If you fill out a form with your personal information and click “submit” it’s gone, and there’s no taking it back once you realize you’ve been scammed.