'Vishing' scams use your telephone to hook you

Herb Weisbaum • Profile • E-mail

The bad guys who want to steal your personal information have added a new twist to the “phishing” scam. They’re now using the telephone to capture your account numbers and PIN codes. Fraud fighters call it “voice phishing” or “vishing” for short.

Both scams start the same way, with a bogus e-mail made to look like it’s from your bank, financial institution or a trusted e-commerce site, such as eBay. It says there’s a problem, your account has been disabled and you need to contact them right away to get it running again.

A phisher tells you to click a hyperlink contained in the e-mail – which takes you to a bogus Web site that will harvest your account information. In the new scam, the visher’s e-mail tells you to call a phone number set up to do the dirty work.

In most cases, an automated response system answers the call and tells you to punch in the data the visher wants.

“It is very clever and a bit alarming,” says Bill Rosenkrantz, director of consumer products at the Symantec Corporation, a leading information security company. The fraudsters hope to fool people who know not to click a link in an unsolicited email that asks for personal information. Making a call might seem like the safe thing to do if you don’t realize that number goes to a crook.

Scams need to evolve
Phishing continues to be the number one scam on the Internet. The Gartner Group, a major technology research company, puts last year’s loss at $929 million. The good news is phishing is less effective than it used to be. “The value of phishing is slipping,” says Adam O’Donnell, a senior research scientist at Cloudmark, a messaging security company in San Francisco.

Fewer people are falling for the scam and companies whose names are being spoofed are able to get the phisher’s bogus Web sites taken down very quickly. “So the time put into launching a phishing attack doesn’t have the same payback,” O’Donnell says. That’s why the scam needed to be tweaked.

One of the most recent vishing attacks took place just a few weeks ago. It targeted the customers of Santa Barbara Bank & Trust, a small community bank in Southern California.

It was a simple text message that was made to look like it came from the bank’s online customer service department:

“After three unsuccessful attempts to access your account, your Santa Barbara Bank & Trust Online Profile has been locked. This has been done to secure your accounts and to protect your private information. Santa Barbara Bank & Trust is committed to make sure that your online transactions are secure.

Call this phone number (1-805-xxx-xxxx) to verify your account and your identity.

Those who fell for the pitch and dialed the number heard a simple automated message that said, “Welcome to account verification. Please type your 16-digit card number.” Since we’re commonly asked to punch in account numbers when we deal with financial institutions over the phone, this would not necessarily seem suspicious.

“Their e-mail blast shows a new level of sophistication,” says Paul Roberts, a senior editor at InfoWorld magazine. “It was targeted to people in the bank’s 805 area code. The phone number people were asked to call was also an 805 number. “You’d have to be pretty suspicious not to fall for that one,” he says.

Santa Barbara Bank & Trust is working with the FBI to find out who did this.  FBI spokesperson Laura Eimiller tells me they have traced the scheme to computers “inside and outside the U.S.” No arrests have been made. It is not known how much money, if any, has been lost.

MORE FROM CONSUMERMAN

ConsumerMan Section Front

ConsumerMan: Fed overdraft rule not enough Chinese drywall a big threat FTC nabs Moneygram Death in the digital age Free samples? Just say no ConsumerMan mailbag: Car rip-offs and more ConsumerMan Section Front   Add ConsumerMan headlines to your news reader: