Monday, December 03, 2007

Watch Out For "Vishing", Another Form Of Cyberfraud


While this story did not take place in Alaska, it very well could occur here or anywhere else. It's a story about "vishing".

What is "vishing", you ask? According to Wikipedia, Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private personal and financial information from the public for the purpose of financial reward. The term is a combination of "voice" and phishing. Vishing exploits the public's trust in landline telephone services, which have traditionally terminated in physical locations which are known to the telephone company, and associated with a bill-payer. The victim is often unaware that VoIP allows for caller ID spoofing, inexpensive, complex automated systems and anonymity for the bill-payer. Vishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.

In this case, the "vishers" are manipulating caller ID to trick you. The story took place in Utah, and is being reported by KSL Channel 5 in Salt Lake City.

And to make it look real, the scammer uses your caller ID. So even though a call comes across, and it appears to be from say, First National Bank Alaska, or Mountain America Credit Union, it could in fact be from someone else.

The number 325-6292 showed up on Kim Cowdell's caller ID on Friday night (November 30th, 2007). When he answered, he got a prerecorded message claiming it was Mountain America Credit Union's Fraud Department. The message said, "Your account has been deactivated or frozen. Please call this 800 number to reactivate your cards."

Instead of calling the 800 number though, he called back the number that came up on his caller ID. And guess what? It was the real Mountain America Credit Union. The lady he talked to explained they'd been getting a number of calls, and that it was a scam.

Then he got another call from that same number telling him to once again call the 800 number. This time he called the 800 number, and got the following recorded message: "Please enter your 16-digit card number." Cowdell says, "So I put in some bogus numbers just to see what it would do." After he'd entered the phony card number and a fake expiration date, the prompt said, "Thank you. Your card has been reactivated." [Ed. Note: Not sure if giving the scammer a fake 16-digit number is a good idea. What might be a fake number to you might be someone else's real number.]

Mountain America got more than 150 calls Friday night. They immediately worked with local agencies and telecom carriers to get the site shut down.

Mountain America says it's important for consumers to understand that financial institutions have no need to solicit information they already have. Tony Rasmussen, with Mountain America Credit Union, says, "It's not uncommon for fraudsters to work after hours or on weekends because it makes it harder for consumers to contact their trusted partner. If you're being asked for any personal or sensitive account information, don't respond".

It's also a good idea to call your financial institution on a number you normally use or go into a branch to see if they are aware of any scams. This advice applies anywhere, anytime. Repeat: financial institutions HAVE NO NEED to solicit information they already have.

The Wikipedia article also describes a typical technical sequence on how vishing works:

(1). The criminal configures either a war dialer to call phone numbers in a given region or accesses a legitimate voice messaging company with a list of phone numbers stolen from a financial institution.

(2). When the victim answers the call, an automated recording, often generated with a text to speech synthesizer, is played to alert the consumer that their credit card has had fraudulent activity or that their bank account has had unusual activity. The message instructs the consumer to call the following phone number immediately. The same phone number is often shown in the spoofed caller ID and given the same name as the financial company they are pretending to represent.

(3). When the victim calls the number, it is answered by automated instructions to enter their credit card number or bank account number on the key pad.

(4). Once the consumer enters their credit card number or bank account number, the visher has the information necessary to make fraudulent use of the card or to access the account.

(5). The call is often used to harvest additional details such as security PIN, expiration date, date of birth, etc.

(In a common variation, an e-mail "phish" is sent instead of war-dialing - the victim is instructed to call the following phone number immediately and credit card or bank account information is gathered)

Back in February 2007, the FBI published an article describing this scam. They advise that if think you are a victim of "vishing", or for that matter, any other type of cybercrime, report it to the Internet Crime Center.

No comments:

Post a Comment