Wednesday, April 23, 2008

VISHING: NEW EMAIL CON FOR BANK DETAILS

Good grief - whatever will they think of next


Vishing: New email con for bank details
Justin Cole
24 July 2006 at 04h21


Washington - Unknown fraudsters recently tried to steal bank account details from the customers of a California bank in a novel way, by sending account-holders emails asking them to telephone the bank.

Internet fraud dubbed phishing, where email recipients are directed to a fake website seeking their financial details, has been around for several years, but the California case represented the new scam of "vishing," according to government officials and security experts.

As opposed to phishing, so-called vishing relies on Voice over Internet Protocol (VoIP) telephony.


VoIP quirk
The perpetrators take advantage of a quirk in VoIP that allows subscribers to have a telephone number that appears to be based in a city, such as Los Angeles, even though they may be anywhere in the world.

"It's a fairly new phenomenon. We're aware of reports they have been occurring," said Lisa Hone, the assistant director of the Federal Trade Commission's Bureau of Consumer Protection.
The perpetrator or group behind the e-mails sent to customers of the Santa Barbara Bank and Trust in California last month have yet to be caught, but the bank has alerted its customers to the scam.

The email sent to the bank's customers preyed on potential victims by requesting they call an apparent local telephone number to clear up an account problem.

Any customers who called the telephone number would have heard a recorded message urging them to enter their account number, according to Internet security firm Websense.

Websense posted a copy of the fake email, with a link to the scam voice recording, on June 23.
Dan Hubbard, vice president for security research at Websense, said the group alerted the bank, a unit of Pacific Capital Bancorp.

Pacific Bancorp could not be reached for comment, but the bank's website has alerted its customers to the scheme.

Not as big
"It's definitely a new trend. It is growing, but it is not nearly as big as the threat of (fake) websites or criminal activity through malicious code, we're talking tens of thousands versus a handful," Hubbard said.

However, he said similar scams had been attempted against users of the online payments company PayPal, and on the online auction group eBay.

British-based Internet security firm Sophos issued an alert on July 7 about a vishing scheme targeting PayPal.

"As hackers get smarter we are likely to see them increasingly not only set up fake websites, but 'harvest' messages from corporate switchboard systems to appear even more like the legitimate company," said Graham Cluley, a senior technology consultant at Sophos.

Easy setup
A VoIP-based fraud can be set up fairly simply, according to security experts. There are relatively few companies that currently offer such Internet-based telephone services, and fewer checks are generally required compared to opening an account with a traditional telephone company.

Essentially, a fraudster signs up for a VoIP account, sets up a voice mail recorded message system - mimicking that of an actual bank or other company - and then mass emails consumers urging them to call the false number.

Hone said the scam, as in the California case, can appear legitimate to unsuspecting consumers because VoIP accounts can be set up with local telephone codes of a user's choice in a variety of cities or states.

"One VoIP account can have numbers all over the country, the code makes it look more real, and setup is easy," Hone said.

Meanwhile, US banks are constantly warning customers to be careful about divulging sensitive financial information.

"I'm not aware of any particular incident. Our security people continuously monitor what's going on in the market," said a Bank of America spokesperson.

The Federal Trade Commission's Hone added some pertinent advice: "Don't call telephone numbers sent to you in unsolicited emails." - AFP

No comments: