‘Vishing’ is one of the latest techniques used to commit identity theft.
Vishing (or voice phishing) uses Internet-based Voice over Internet Protocol (VoIP) phone services to trick people into revealing private data -- which is then used for identity fraud. Here's how "vishing" works, and how you can protect yourself against it.
Phishing by phone
ID thieves have perfected an online scam called "phishing," in which they send mass email messages announcing an "urgent account problem." Recipients are asked to visit a web site to clear up the problem. The web site appears to be the legitimate site of a merchant or financial institution, but account information is immediately stolen and used to commit ID fraud.
But with consumers getting wise to online phishing, thieves are now exploiting new Internet-based (aka VoIP or digital) phone services. In this case, thieves use email or automated phone messages to notify consumers of "account problems." Recipients are asked to call a toll-free number to resolve the problem. When victims call, they hear what sounds like a legitimate automated phone message. Victims are asked to provide account numbers, passwords or social security numbers, which are then sold on the Internet and used to commit identity fraud.
Types of Vishing
Vishing falls into several categories, including:
- Caller ID Spoofing:
This involves displaying a false number on your caller ID. Unfortunately, companies exist that provide tools to make spoofing possible.
The practice of using an automated system on specified area codes. Phone calls typically involve a local or regional credit unions or banks and ask recipients to provide a credit card, debit card, or bank account number with their PIN.
- Social Engineering:
Social engineering is considered the “fancier” form of vishing because the recorded messages sound especially professional and techniques find their way around security software and hardware.
Voice over Internet Protocol is an Internet-based system that utilizes numerous techniques simultaneously to make calls.
- Dumpster Diving:
This technique isn’t exactly technical, as it involves rifling through a bank’s dumpster for lists of client phone numbers.
A problem of trust
Vishing mimics the legitimate ways people interact with their financial institutions, so victims are more likely to respond without hesitation. People trust phone transactions more than they trust the Internet, because the traceability and cost of landline or cellular phone service make mass phone fraud impractical.
But VoIP service has rendered that security blanket almost inoperative. Many Internet-based phone companies make it easy to obtain an anonymous account and to handle large call volumes at little cost. This inexpensive software lets thieves create an interactive voice response system that sounds exactly like the one your bank uses -- even matching the on-hold music. Traditional antiphishing tools cannot easily detect a phony telephone number within email text, so protection against vishing is up to the user.
How to protect yourself
It's a good idea to use common sense whenever your ID information is involved.
- Never respond to an email or voice mail that asks you to go to a web site or call a phone number to resolve an account problem. These are never legitimate. If there is any question, call the merchant or institution at a number you know is genuine.
- Get into the habit of asking for authentication. For example, ask the person at the other end of the line to verify a recent transaction you've made. A thief is not likely to have access to this type of information.
- Don’t trust caller ID, as it can be tampered with.
- Call your bank and report fraud attempts. Make the call immediately to put a stop to the scam. Let your bank know what was requested as well as the caller’s phone number and any other relevant information you can provide.
- Contact your local police and file a report.
- Ask the caller questions, such as who the person works for, or let the call go to voicemail.
- Block suspicious numbers.