zahir.in

With users getting smart to phishing tricks, thieves find new ways to steal from you! Just as Internet users have started to learn not to divulge confidential information on websites, phishers move to new, uncharted territories with their newest weapon called “vishing”, as in “Voice Phishing”.

It uses Voice over Internet Protocol (VoIP) phones instead of a misdirected Web link to steal user information and private data. Here’s how “vishing” works and how you can protect yourself against it.

The old-fashioned email phishing

We all know about regular email phishing: hackers send mass email messages announcing an “urgent account problem” with some service provider (usually a well-known bank, ISP or merchant).

Recipients are then asked to visit a particular website to clear up the problem. Of course, those who are not customers of the service in question will ignore the email. But a fraction of recipients who are concerned will click on the suggested link to go to the service provider’s website.

The site may seem legitimate, but it is actually a fake. The link in the email was booby-trapped to show a legitimate destination but it redirects to a server owned by the hackers. When asked to “confirm” confidential data (usually an account login and password) on the fake site, users are in fact providing the information to the hackers. This account information is immediately stolen and used to commit ID fraud.

Playing phone games

This is regular email phishing. Creative thieves are now switching their efforts to “vishing,” by exploiting new Internet-based phone services:

• Thieves use email or automated phone messages to notify consumers of “account problems.”
• Recipients are prompted to call a toll-free number to resolve the problem.
• When victims call, they hear what sounds like a legitimate automated phone message.
• Victims are asked to provide account numbers, passwords or Social Security numbers, which are then sold on the Internet and used to commit identity fraud.

People trust phone transactions more than they trust the Internet, because the traceability and cost of landline or cellular phone service make mass phone fraud impractical. Moreover, vishing mimics the legitimate ways people interact with their financial institutions. So victims are more likely to respond without hesitation to a vishing trap.

This is how VoIP service makes such attacks easy and more cost-effective for hackers:

• Internet-based phone companies make it easy to obtain an anonymous account and to handle large call volumes at little cost.
• Inexpensive software lets thieves create an interactive voice response system that sounds exactly like the one your bank uses—even matching the on-hold music.
• Traditional anti-phishing tools cannot easily detect a false telephone number within an email text, so protection against vishing is up to the user.

How to protect yourself

• Common sense is the only true universal weapon when ID theft is involved!
• Never respond to an email or voice mail that asks you to go to a website or to call a phone number to resolve an account problem. These are never legitimate.
• If there is any question, call the institution at a number you know is genuine – either one found on the regular website (after having entered the address yourself!) or in the Yellow Pages.

Stay wise

There is no need to be alarmed: Vishing is still relatively rare. But it pays to be alert whenever giving out your identity information, no matter what the medium. Never respond to an email or automated phone call that asks you to clear up an urgent problem: if it were urgent, they’d contact you personally and they would be in a position to prove they actually know you.

Trackback URI | Comments RSS