Tuesday, July 18, 2006

Vishing - The New Way to Lose Your Identity

The security media is reporting a new scam called "vishing," ( phishing by telephone). In vishing, a person is called, or directed to call a number and tricked into giving up their personal details. Note that the call might have someone give up information over the telephone, or direct them to a fraudulent website (like they do in phishing). The intent of these (vishing) scams is to steal personal information, which are used in "identity theft" schemes.

Of course using the telephone to rip-off people is nothing new. Telemarketing scams have been around for years.

The lures used to "dupe" innocent people are normally the same ones used in phishing, like telling you an account has been compromised. It's even possible they might already have some of your information (a lot of it has already been compromised) and be trying to get a credit card's CVC code, or obtain a password to an account.

According to a recent BBC article, the recent bouts with "vishing" started with spam e-mails directing someone to call a number, where they would be prompted to give up personal information. The scam has now mutated (they always do) and now people are being called by "autodialers," which dial number after number and leave a recorded message.

The rise in popularity of Voice over Internet Protocol (VoIP) is being cited by security experts as the reason why vishing is becoming a problem. VoIP has made calling long distance cheap, which means that vishing crosses borders; making it hard to trace and or prosecute.

The BBC article also states that it is relatively easy to spoof "caller-id" with VoIP. Security Focus recently did an article that supports this contention. In the article, a hacker easily showed the reporter how it was done.

For anyone unfamiliar with "spoofing caller id," fraudsters aren't the only ones who do it. In fact, many legitimate corporations use "caller id spoofing services" to trick people (my own words) into picking up the telephone.

For a post, I wrote about this, link here.

So far as how to protect yourself from this sort of scam, I would highly recommend that if you receive any telephone calls (or a e-communication to call a number) asking you to "verify" personal, or financial information that you take a "deep breath" before proceeding. Most of us have access to legitimate telephone numbers with places we do business with. The key to protecting yourself is to always verify who you are talking to and make sure they are entitled to the information in question.

And remember that since "vishing" is relatively new, financial institutions might now be the only organizations impersonated. The history of phishing tells us that sometimes government institutions are also impersonated. In the past couple of years, we have seen the IRS and even the FBI impersonated in phishing schemes. As a matter of fact in October, 2005 - I did a post on the Jury Duty Scam - where fraudsters (we might now term as "vishers") were calling up to verify personal information.

Maybe "vishing" isn't as new as we thought it was?


cary said...

The only thing new is the term used to call these scumbags what they are.

My peeve is the auto-dialer; that invention needs to be returned to the special circle of h*ll from whence it came.

michael webster said...

You don't leave your car keys in the car, your don't leave your house keys in the front door, so why do you leave your telephone unlocked? Buy an answering machine, and don't respond to telephone calls before thinking about your response.

Ed Dickson said...

Cary and Michael -

Words of wisdom and I agree!

Anonymous said...

It never ceases to amaze me that people even *talk* to strangers on the telephone.

If somebody calls me, I don't even let them get to first base. As soon as it's aparent that I don't know them, I ask "Are you a telephone solicitor?".

If they anser "Yes", end of game.

If they answer "No", as soon as it becomes apparent that they are I just unload on them.

I'm always disappointed when the media does a piece on telephone solicitors and fails to include the seemingly-obvious advice: simply don't talk to *anybody* you do don't know - and don't be apoligitic about it.