Hold on to your data: New phishing scam uses phones
By Jon Swartz
USA Today
SAN FRANCISCO — And consumers thought they were safe by not clicking on links in unsolicited e-mails.
Now comes a new batch of phishing scams that rely on an old tool — the phone — to trick people into giving away their personal information.
Vishing — short for voice phishing — is one of the latest iterations of phishing, a long-running e-mail scam that instructs recipients to click a link in the e-mail to confirm data such as their Social Security number and credit card number. But the link is really connected to a bogus Web site where the data are stolen.
Vishing has emerged as a new threat with the rise of Voice over Internet Protocol, technology that allows cheap and anonymous Internet calls.
The new batch of e-mails appear to come from PayPal, eBay's online payment service, and — like most phishing e-mails — they warn the recipients about a problem with their account. An e-mail advises victims to call a number to verify basic data. But the number is actually recording data with the intent to steal it. The information often winds up on cybercrime forums, Web sites that function as digital marketplaces for stolen personal data.
Some vishing attacks don't even begin with an e-mail. They come as calls out of the blue in which the caller already knows the recipient's credit card number, and asks for the three-digit security code on the back of the card.
"Hackers are moving away from the Web and using something victims are more comfortable with: making a call," said Paul Henry, vice president of technology evangelism at Secure Computing. "Consumers are programmed to enter in information on the phone. It's a natural evolution of phishing."
In the ruthless world of phishing, there is no shortage of sophisticated ruses for pulling a digital fast one on consumers. Consider:
Incidents have soared as attacks become more sophisticated and evolve every few months, says Dennis Maicon, executive vice president of financial services solutions at computer-security firm Digital Resolve.
And the victims are no longer just the usual targets, including customers of AOL, eBay, PayPal, Citibank and Bank of America.
Early this year, phishers began preying on customers of regional banks and credit unions.
"As large banks improve their computer defenses, phishers are moving downstream to smaller banks that don't have the same level of security," says George Tubin, a senior analyst at researcher TowerGroup.
The deceptive e-mail messages and Web sites have also gotten much craftier. One recent phishing attempt actually warned customers about phishing and asked them to update their information for security reasons. To assure wary users, the legitimate 800 phone number of a targeted company was included in the e-mail.
In others, customer names and addresses routinely appear. Previously, scams were addressed to "Dear valued (company name) member."
"This is slick stuff," says Ron O'Brien, senior security analyst at computer-security firm Sophos. "But as long as it works, expect more."
