Vishing

Phishing Scams Now Use Phones Instead of Fake Websites

In a new twist, identity thieves are sending spam that warns victims that their bank account or PayPal accounts were supposedly compromised.

Nothing new so far.

However, unlike typical phishing emails, there is no website address in these phishing messages. Instead, the victim is urged to call a phone number to verify account details.

The automated voice message says: "Welcome to account verification. Please type your 16-digit card number."

The goal is to get the victim to enter their credit card number. In these reported scams, no mention of the bank or PayPal is made. You can see a sample scam email message (and hear an example of one of these scam voice messages by clicking on the Recording Link at the Websense Security Lab site) here:

http://www.websense.com/securitylabs/alerts/alert.php?AlertID=534

What to do:
Never call a number you receive from a spam email, and certainly don't enter in any private information if you make a mistake and do call. If you want to call your bank, use the normal phone number you regularly use, not the phone number you get in an email.

You can read more about this scam here:

http://www.eweek.com/article2/0,1895,1985966,00.asp

Vishing

From Wikipedia, the free encyclopedia

Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private personal and financial information from the public for the purpose of financial reward. The term is a combination of "voice" and phishing. Vishing exploits the public's trust in landline telephone services, which have traditionally terminated in physical locations which are known to the telephone company, and associated with a bill-payer. The victim is often unaware that VoIP allows for caller ID spoofing, inexpensive, complex automated systems and anonymity for the bill-payer. Vishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.

Vishing is very hard for legal authorities to monitor or trace. To protect themselves, consumers are advised to be highly suspicious when receiving messages directing them to call and provide credit card or bank numbers. Rather than provide any information, the consumer is advised to contact their bank or credit card company directly to verify the validity of the message.

Example

The criminal configures either a war dialer to call phone numbers in a given region or accesses a legitimate voice messaging company with a list of phone numbers stolen from a financial institution. When the victim answers the call, an automated recording, often generated with a text to speech synthesizer, is played to alert the consumer that their credit card has had fraudulent activity or that their bank account has had unusual activity. The message instructs the consumer to call the following phone number immediately. The same phone number is often shown in the spoofed caller ID and given the same name as the financial company they are pretending to represent. When the victim calls the number, it is answered by automated instructions to enter their credit card number or bank account number on the key pad.

Once the consumer enters their credit card number or bank account number, the visher has the information necessary to make fraudulent use of the card or to access the account. The call is often used to harvest additional details such as security PIN, expiration date, date of birth, etc.

(In a common variation, an email "phish" is sent instead of war-dialing - the victim is instructed to call the following phone number immediately and credit card or bank account information is gathered)

Disclaimer:
"This site contains links to other Internet sites. These links are not endorsements of any products or services on such sites, and no information in such site has been endorsed or approved by this site."

"This project has been made possible by a grant from the Ministry of Community Safety and Correctional Services"