As a natural evolution of phishing—the method of tricking consumers into giving up their personal financial information using fake emails and web sites that look exactly like they are from real companies—Internet scammers are now switching to voice phishing or “vishing.”
Vishing combines the use of phones with clever social engineering to gain access to a victim’s personal and financial details.
With increased user education about Internet scams, people are more aware of the fact that an email containing a URL could be malicious in nature. So instead of stealing user information by using a misdirected web link to a phony banking site, fraudsters now are luring victims to something more credible, such as a toll-free phone number where an automated recording asks for account information.
Potential victims get the usual convincing email phish that looks like a genuine alert. But instead of being directed to a web site to resolve the pending issue, they are given a phone number to call. Those who call the “customer service” number are greeted with a pirated recording of an automated voice system, ostensibly for the financial institution, and are requested to enter their card number to authenticate themselves.
They are then led through a series of voice-prompted menus that ask for their PIN code, card expiration date, date of birth, and other critical information. Once the victim enters these details, the visher has enough information to commit identity theft or to make fraudulent use of the information.
McAfee® Labs has observed a surge in IRS refund phishing attempts. In addition to the usual email phish, we also observed IRS vishing campaigns targeting VISA or MasterCard debit cardholders:
Internal Revenue Service Notification Tax Refund
Here’s another example of a vishing campaign that impersonates a well-known bank:
Other variants of vishing use CallerID to spoof an incoming call so it appears to be a 1-800 number or an SMS message from a reputable bank. A text or pre-recorded voice message is then played out, persuading victims into believing that their accounts have been frozen due to suspicious activity. As the incoming call displays a 1-800 number from a recognized institution, it creates a false sense of security about the authenticity of the message.
Vishing is all set to flourish with advancements in Voice over Internet Protocol (VoIP) technology that enables cheap and anonymous Internet calling. Given the ease with which CallerID boxes can be tricked into displaying erroneous information, it is becoming increasingly difficult to distinguish vishing attempts from genuine attempts to contact customers.
If you encounter a vishing attempt and have a question concerning your account or card, please contact the financial institution using only a telephone number obtained from your account statement, a telephone book, or other verifiable, genuine correspondence.