TMCnet
TMC Launches New Sites ::  NGC  |  4GWE  |  Green Tech  |  Satellite  |  IT |  ITEXPO  |  Healthcare  |  Smart Grid  |  M2M  |  Smart Products  |  AstriCon News  |  SATCON News
TMCnet CHANNELS
#1 VoIP Enabler: Risk-free, Quick & Easy Deployment
Advanced Carrier Services
Appliance Deployment
ATCA
Auto Dialer
BPA (3rd Party Remote Call Monitoring)
Broadcast Modulator
Business Phone Systems
Business Process Automation
Business VoIP
Call Center
Call Center Certification
Call Center Digital Signage
Call Center Furniture
Call Center Hiring
Call Center Management
Call Center On Demand
Call Center Outsourcing
Call Center Scheduling
Call Center Software
Call Center Solutions
Call Center Training
Call Center Workforce Management
Call Monitoring
Call Recording
Communications Enabled Business Processes
Conference Call
Conferencing
Contact Center Headsets
Contact Center Software
CRM Software
CRM Solutions
DID/DDI
Digital Signage
e911
E911 Hosted Solutions
Email Archiving
Email Server
Enterprise Fax over IP
Enterprise VoIP
Ethernet Extender
Fax
Fax Over IP
FoIP
HD Conference
Hosted Contact Center
Hosted Exchange
Hosted PBX
Integrated Communications
IP Fax
IP Multimedia
IP Phone Maker
IP Phone System
IP Phones
IVR
Lead Management Software
Master Agent
Mobile Management
Mobile Unified Communications
Mobile Video
NEBS
Network Installation
Open Source CRM
PBX PCI Adapter
Phone Systems
Portable Satellite Antenna
Predictive Dialer
Sales Software
SATCON
SIP
Speech Recognition and Text to Speech
Telecom Cost Management
Telecom Expense Management
Telecom Lifecycle Management
Telecom Training
Telemarketing Software
Telepresence
Testing IP Services
Virtual Call Center
Virtual Office
Virtual PBX
Virtual Receptionist
Voice Broadcast
Voice Management
Voice Over IP
Voice Peering
Voicemail Replacement
VoIP Call Recording
VoIP Contact Center
VoIP Developer
VoIP Gateways
VoIP Monitoring
VoIPSwitch
Web Conferencing
Web Meeting
Wholesale VoIP
Wireless Expense Management
Wireless Management
Workforce Management
Workforce Optimization
Share
July 12, 2006

Scammers Using VoIP to Launch 'Vishing' Attacks

By Patrick Barnard
TMCnet Associate Editor

VoIP, the technology that enables cheap or free phone calls over the Internet, is increasingly being used by scammers to obtain people’s credit card information.

TMCnet first reported on VoIP phishing scams back in April, when Cloudmark, a leading provider of spam, phishing and virus detection solutions, reported that it had detected and prevented several VoIP phishing scams on its network.

In those particular scams, which were among the first of their kind, the phishers would send and email to a targeted victim. The emails, which were designed to appear to have come from the victim’s bank, told the victim that their account had in some way been compromised, and they needed to contact the bank via a toll free number provided in the email. The number, however, was a “fake” VoIP number which connected the victim to an IP-PBX (i.e. phone system) which had been set up by the phishers in a remote location. Once a victim had dialed into the IP-PBX, they would encounter a “phone tree,” or voice recognition system, which the phishers had ingeniously “copied” from the bank’s phone system – thus putting the victim in a phone system which would seem both legitimate and “familiar.” The system would then prompt the victim to enter his or her credit card number, and several other pieces of information, which was then recorded onto the IP-PBX. The phishers could then use the information to make fraudulent charges on the victim’s credit card.

The latest permutation of VoIP phishing, now called “vishing,” is even more deceptive because it doesn’t involve email. With vishing scams, the potential victim’s phone rings and an automated voice message tells him there may have been fraudulent charges on his credit card. The message provides a toll-free number to call, and when the victim dials it, he is prompted to enter his credit card number, date of expiration, and perhaps other information which the “vishers” can use to make fraudulent charges. In addition, vishers can also easily “spoof” someone’s caller ID to make it appear that the call is coming from legitimate bank or other financial institution.

In both cases, the victim never actually speaks to a live person – the automated phone system does all of the work.

Part of what is driving these phishing and vishing scams is the fact that VoIP technology is getting cheaper and is now widely available. Just about any programmer with basic knowledge of VoIP and how it is deployed can set up a bank of “fake” numbers which can be used to lure victims. In addition, the phone systems - including both the hardware and software - have also become more affordable in recent years, thus making it easy for vishers to set up “fake” phone systems (they can even “record” or copy the original auto-attendants’ voice from a bank’s phone system over to their IP-PBX). Because VoIP numbers can be set up and broken down in just minutes, it is almost impossible for law enforcement to track the numbers being used and thus arrest the bad guys. (Usually, the numbers are valid for only a few hours, while the activity is going on, and they are broken down before law enforcement can track them. Plus, it is also possible to use a phone number to route calls to another number which could be anywhere in the world). Furthermore, the new phone systems are fairly easy to set up and take down, are relatively inexpensive, and are readily transportable.

“Consumers need to be made aware of this new threat,” said Paul Henry, vice president of strategic accounts for Secure Computing, a company that specializes in creating secure Internet connections. “Like most other social engineering exploits, vishing relies upon the ‘hacking’ of a common procedure that fits within the victim’s comfort zone. Specifically, this methodology takes advantage of what has become a normal practice for credit card users. It is a normal procedure when calling a credit card provider to be asked to enter your 16-digit credit card number before given the opportunity to speak to a credit card representative. Consumers need to be extra vigilant when giving out their information on the phone.”

“Common sense is the first line of protection,” Henry added. “Anyone who is called by a bank should take the appropriate steps to protect their personal information and their bank account.”

Consumers should take the following precautions to avoid “vishing” scams:

--If the auto attendant calling you (i.e. the computer voice) does not refer to you by your full name, there’s a chance this could be a vishing call. Credit card companies are required to refer to you by your full name. If you get a call from your bank and it only refers to you by your first or last name, hang up and call your bank to see if the call was valid.

--Never call a phone number sent to you in an email (or provided through a phone call you received) which appears to be from your bank. Always use the toll free number on the back of your card or on your statement.

--If someone calls purporting to be a credit card provider and requests your card number, immediately hang up and call the phone number on the back of your credit card and report the attempt to your bank.

--If you think you have fallen victim to a vishing or phishing scam, call your bank immediately and report your credit card as possibly stolen.

--------

Patrick Barnard is Associate Editor for TMCnet and a columnist covering the telecom industry. To see more of his articles, please visit Patrick Barnard’s columnist page.