About a week ago, I was made aware of a fraud group operating from a Tampa, Florida number, who were calling people and using some pretty heavy-handed tactics to collect (steal) money. Interestingly enough, the person that let me know about this had never done business with the company being impersonated.
Please note, there might be a reason for alarm even if you don't think you owe a debt and a collector calls. With more and more people becoming identity theft victims, a call from a collector could be the first notification a person gets that someone else is using their information. Of course, in this instance, since the calls were bogus, it was not the case. In fact, if you give these scammers any information they can use, you will likely become an identity theft victim yourself.
The person who provided me with this information also provided me with the number she was called from. I called the number and, after a slight delay, I got a person with a Indian accent, who identified himself as "William Scott" from ACS, Inc. Leading him on, I told him my wife was always getting us into trouble by borrowing money — and that we had received a message to call them. He asked me for my wife's name and I made one up. He then told me to wait a minute, while he looked up the file. After about a minute, he said he had located the file and that she owed $500.00, and said this was a "serious legal issue we needed to get cleared up right away." He even offered to settle for $300.00, if I paid that day with a debit/credit card.
During my conversation with William, I could hear the chatter of other calls being made. Listening carefully, I noted that all the people, "chattering" in the background seemed to have Southern Asian (probably Indian) accents. This leads me to believe that the call was being forwarded, possibly overseas. This is not hard to do and there are a lot of legitimate call centers where callers are forwarded from a local number, all over the world.
I gave him an e-mail address so he could send me a payment authorization form and he told me to fill it out, sign it and e-mail it back to him. About an hour later. I got the form coming from an e-mail address, acscorpusa@gmail.com. It asked for personal identifiers, the card number, billing address, zip code, expiration date and CVC number. There is very little doubt in my mind if I had sent the form back to him the account I gave them would have been promptly cleaned out.
I ran the number (813-434-4611) on a site called PhoneValidator.com, which tells you what company a number belongs to and if it is a cell phone or a landline. This number belongs to a PaeTec Communications in Tampa, Florida. PhoneValidator.com offers two additional tools after you run the number. One is primarily a paid search (how they make money), but they offer Google results, also. When I ran the Google results, it identified the same scam, I had run into. One site, 800notes.com, had quite a few comments about it.
The payment authorization letter listed a fax number of 646-786-4401. I ran that number and it went to a landline in New York. Again, I ran the Google results, which revealed more people getting faux collection calls. Besides the fax number on the authorization letter — designed to clean out a payment card — was another number (813-435-1963) to call them back. Although, it was another Tampa number, it went to different telecom outfit. By running the Google results, lo and behold, more complaints about phony collection calls were found, some of which stated that some pretty crude and disgusting comments were made by some of these fake collectors.
Based on the comments I found, it appeared that this activity had been going for a long time, and the Indian accents seems to be a common theme. I did report this to the authorities — but besides getting an initial call back — I haven't heard anything from them since then.
It is not uncommon for scammers to set up legitimate sounding numbers, either. As long as the bill gets paid, very little due diligence is conducted by telecom types to ensure a number actually belongs to what it says it does. Sometimes the numbers are paid for with stolen financial instruments, and it is not uncommon to call one back a week later and find it has been disconnected.
I did more research on this activity and discovered that the BBB had an interesting write-up about similar (if not the same) fraudulent collection activity. The report lists 67 complaints they had received. Another write-up in August of 2009 from the BBB suggested that the scammers had so much personal information about the victims — a data breach was suspected. In this case, it was reported that the people behind this had social security numbers, addresses and knew how to contact their victim's relatives. It also stated that people were being threatened with criminal prosecution, if they did not pay.
If you are called by a collector and you do not know anything about the debt they are talking about, you should always ask them to send you documentation proving that you owe the debt. The Federal Trade Commission (FTC) has information on their site on what your rights are and the specific laws that legitimate collection agencies have to follow. You can also file an online complaint (highly recommended if you suspect abuse) and even watch a video on how to do it properly. They also provide a number (1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261) if you want to speak with a live human being.
The phenomenon of fraud by telephone is becoming more and more common. Officially dubbed "vishing," which is phishing by telephone, the people behind it spoof financial institutions to gather personal and financial details to commit identity theft and financial crimes. Cheap long distance — enabled by VoIP (Voice over Internet Protocol) — and caller ID spoofing (which is legal) have made vishing pretty easy to accomplish.
If you get a phone call that doesn't make sense, take a deep breath and then make sure the person calling you is legitimate before proceeding!
Showing posts with label VoIP. Show all posts
Showing posts with label VoIP. Show all posts
Wednesday, July 07, 2010
Monday, June 08, 2009
Trust Caller ID, Become a Crime Victim!
Fraud using the telephone is nothing new; it's probably been around as long as there have been telephones. After all, a telephone is merely a communication device and can be used to dupe someone into doing something they shouldn't have.
Saying that, telephone technology, which has grown rapidly in recent years, has given fraudsters a wide array of new tools to use to depart common people and even large businesses from their hard-earned money.
Take caller ID for instance, which is marketed as a means of protecting our privacy. When I say marketed, it's normally sold for a fee so we can see who is calling us. The irony of the situation is that for a fee, just about anyone can make the caller ID appear to whatever number they desire.
The ability to spoof (fake/impersonate) caller ID has been around for a few years. Collection agencies, private investigators and even law enforcement agencies use it to get people to answer their telephone. In these instances, they are normally paying the telecom company for the service. I guess this means the people selling caller ID and the ability to spoof it are making money on both sides of the fence.
While some might argue the semi-legitimate (?) uses are deceptive in themselves, I'm far more concerned when criminals or malicious beings use it to further one of their schemes.
For instance, caller ID spoofing has been used to dispatch a SWAT team to an unsuspecting person's house, and a Pennsylvania man made obscene phone calls to women and made the caller ID appear as if they were coming from within the house. It has also subjected a lot of people to abusive return phone calls when their number was spoofed and angry consumers wanted to complain.
Of even greater concern is when caller ID spoofing is used by "stalkers." In January, Alexis A. Moore did a very well researched post on her blog about this subject. Moore is a "crime victim advocate and expert in cyber stalking, identity theft, traditional stalking, domestic violence and privacy protection," according to her profile on Blogspot.
Before I move forward, please note that it seems to have worked on a 911 dispatch system. In this case, law enforcement – who is known to spoof their numbers – is being victimized by the same technology they use to cloak calls themselves. Please note that if anyone should be able to legally spoof calls, it’s probably law enforcement. Nonetheless, it is ironic.
More and more frequently, caller ID is being used by organized (and maybe some not so organized) criminals to commit fraud.
Last month, spoofing caller ID was reported to be used as a tool by an international credit card fraud ring that was broken up by the NYPD and the Queens District Attorney's office. The ring was using an easily purchased portable spoofing tool, known as a Spoof Card. Spoof Cards can be bought by anyone who has the money to buy them, right over the Internet! Besides spoofing a number, the cards can be used to disguise a person's voice and gender.
The ring, which was described as stretching from New York to Nigeria, obtained cards and activated them using a number they spoofed as legitimately belonging to the intended recipient of the card. Please note, most banks require you to activate a card from a known number when you receive it in the mail. I wonder how many of these same banks are using caller ID spoofing technology in their collections departments.
While the methods used by this group included counterfeiting, mail theft, taking over accounts and fraud applications to get the cards, using a Spoof Card was obviously a pretty successful tool used in furthering the fraud scheme. The victims were from all over North America and the cards were used worldwide. According to the authorities, the financial impact of this activity was estimated at $12 million in the past year alone.
While devices like Spoof Card are an issue, the problem doesn't stop there. Semi-legitimate (?) marketing firms, such as Voice Touch, Inc. and Network Foundations LLC – ones that the FTC shut down last month – were using robocalls with spoofed caller IDs. Of course, there were a lot of complaints that these warranties they were selling (provided by Transcontinental Warranty, Inc.) were virtually useless if you tried to use them, too.
Spoofing caller ID has led to a rash of vishing (phishing by telephone scams), also. Last year in November, I wrote about a call I was getting offering to lower my interest rate. The calls in question were robo-generated and the intent was to get you give up your credit card numbers to a scammer. As of this month, I received another one of these calls. Besides this particular scam, there have been numerous reports of financial institutions having their telephone numbers spoofed in vishing schemes.
Of course, Spoof Card isn't the only spoofing service out there. Some services offer software programs that can be used to spoof calls over a Web interface. One even calls itself PhoneGangster.com.
The services that allow it to be done over a Web interface enable the activity to be performed on a much larger scale. A simple Google search for "caller ID spoofing" brings up all kinds of Adsense ads selling a wide range of caller ID spoofing services. Of course, I shouldn't single out Google or Adsense; my guess is that any search on most commercial browsers will net the same type of advertising.
With VoIP technology in full vogue and services like Skype, the fraudulent use of caller id spoofing services now can feasibly be done across borders. This will make it much more difficult for law enforcement agencies to investigate and prosecute these cases.
In 2007, two bills were sent to the Senate to address caller ID spoofing. Neither was voted on and as a result no effective law has been put into place to address this issue. This year, Senator Bill Nelson (FL) and three co-sponsors introduced another bill (S.30) dubbed "The Truth in Caller ID Act."
In my humble opinion, the need for this legislation is pretty apparent. Laws are designed to protect people and it there are too many good reasons people need to be protected from caller ID spoofing!
The right place to file a complaint about something like this is the Federal Trade Commission. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). There is also a link on the page to file a complaint on an overseas entity.
You can also write your representatives (elected officials) and encourage them to make 2009 the year that they finally pass some legislation on this issue.
Saying that, telephone technology, which has grown rapidly in recent years, has given fraudsters a wide array of new tools to use to depart common people and even large businesses from their hard-earned money.
Take caller ID for instance, which is marketed as a means of protecting our privacy. When I say marketed, it's normally sold for a fee so we can see who is calling us. The irony of the situation is that for a fee, just about anyone can make the caller ID appear to whatever number they desire.
The ability to spoof (fake/impersonate) caller ID has been around for a few years. Collection agencies, private investigators and even law enforcement agencies use it to get people to answer their telephone. In these instances, they are normally paying the telecom company for the service. I guess this means the people selling caller ID and the ability to spoof it are making money on both sides of the fence.
While some might argue the semi-legitimate (?) uses are deceptive in themselves, I'm far more concerned when criminals or malicious beings use it to further one of their schemes.
For instance, caller ID spoofing has been used to dispatch a SWAT team to an unsuspecting person's house, and a Pennsylvania man made obscene phone calls to women and made the caller ID appear as if they were coming from within the house. It has also subjected a lot of people to abusive return phone calls when their number was spoofed and angry consumers wanted to complain.
Of even greater concern is when caller ID spoofing is used by "stalkers." In January, Alexis A. Moore did a very well researched post on her blog about this subject. Moore is a "crime victim advocate and expert in cyber stalking, identity theft, traditional stalking, domestic violence and privacy protection," according to her profile on Blogspot.
Before I move forward, please note that it seems to have worked on a 911 dispatch system. In this case, law enforcement – who is known to spoof their numbers – is being victimized by the same technology they use to cloak calls themselves. Please note that if anyone should be able to legally spoof calls, it’s probably law enforcement. Nonetheless, it is ironic.
More and more frequently, caller ID is being used by organized (and maybe some not so organized) criminals to commit fraud.
Last month, spoofing caller ID was reported to be used as a tool by an international credit card fraud ring that was broken up by the NYPD and the Queens District Attorney's office. The ring was using an easily purchased portable spoofing tool, known as a Spoof Card. Spoof Cards can be bought by anyone who has the money to buy them, right over the Internet! Besides spoofing a number, the cards can be used to disguise a person's voice and gender.
The ring, which was described as stretching from New York to Nigeria, obtained cards and activated them using a number they spoofed as legitimately belonging to the intended recipient of the card. Please note, most banks require you to activate a card from a known number when you receive it in the mail. I wonder how many of these same banks are using caller ID spoofing technology in their collections departments.
While the methods used by this group included counterfeiting, mail theft, taking over accounts and fraud applications to get the cards, using a Spoof Card was obviously a pretty successful tool used in furthering the fraud scheme. The victims were from all over North America and the cards were used worldwide. According to the authorities, the financial impact of this activity was estimated at $12 million in the past year alone.
While devices like Spoof Card are an issue, the problem doesn't stop there. Semi-legitimate (?) marketing firms, such as Voice Touch, Inc. and Network Foundations LLC – ones that the FTC shut down last month – were using robocalls with spoofed caller IDs. Of course, there were a lot of complaints that these warranties they were selling (provided by Transcontinental Warranty, Inc.) were virtually useless if you tried to use them, too.
Spoofing caller ID has led to a rash of vishing (phishing by telephone scams), also. Last year in November, I wrote about a call I was getting offering to lower my interest rate. The calls in question were robo-generated and the intent was to get you give up your credit card numbers to a scammer. As of this month, I received another one of these calls. Besides this particular scam, there have been numerous reports of financial institutions having their telephone numbers spoofed in vishing schemes.
Of course, Spoof Card isn't the only spoofing service out there. Some services offer software programs that can be used to spoof calls over a Web interface. One even calls itself PhoneGangster.com.
The services that allow it to be done over a Web interface enable the activity to be performed on a much larger scale. A simple Google search for "caller ID spoofing" brings up all kinds of Adsense ads selling a wide range of caller ID spoofing services. Of course, I shouldn't single out Google or Adsense; my guess is that any search on most commercial browsers will net the same type of advertising.
With VoIP technology in full vogue and services like Skype, the fraudulent use of caller id spoofing services now can feasibly be done across borders. This will make it much more difficult for law enforcement agencies to investigate and prosecute these cases.
In 2007, two bills were sent to the Senate to address caller ID spoofing. Neither was voted on and as a result no effective law has been put into place to address this issue. This year, Senator Bill Nelson (FL) and three co-sponsors introduced another bill (S.30) dubbed "The Truth in Caller ID Act."
In my humble opinion, the need for this legislation is pretty apparent. Laws are designed to protect people and it there are too many good reasons people need to be protected from caller ID spoofing!
The right place to file a complaint about something like this is the Federal Trade Commission. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). There is also a link on the page to file a complaint on an overseas entity.
You can also write your representatives (elected officials) and encourage them to make 2009 the year that they finally pass some legislation on this issue.
Friday, July 13, 2007
If Social Security calls requesting personal information, it might be smart to verify who you are talking to!
(Nice Photo courtesy of Long N at Flickr)
If you get an unsolicited call from an "alleged" Social Security employee, it might be wise to verify (independently), who is calling you. Of course -- you should do this by using a number obtained from a legitimate source, and not one pointed to by the person calling -- who might be trying to steal by using your good name.
The Office of the Inspector General, Social Security Administration recently reported:
Over the past several months, the Office of the Inspector General has received a number of reports relating circumstances where individuals have been contacted by someone pretending to be an SSA employee. The caller identifies himself/herself as an SSA employee and may even provide a toll-free number as a point of contact. The caller generally asks for personal identifying information such as:The impersonator may state that "the SSA computers are down" or may refer to enrollment in the Medicare prescription drug program. The intent of the impersonator is to steal your identity and/or funds from your bank accounts.
- Social Security Number
- Date of Birth
- Mother's maiden name
- Bank account information
- Other financial account information
It is possible that an SSA employee may contact you to follow-up on a previous application for benefits, application for a subsidy for the Medicare Part D program, or to follow-up on business you have initiated with SSA. If you are unsure as to the authenticity of someone who claims to be an SSA employee, please call SSA's
toll-free number: 1-800-772-1213 to verify the reason for the contact and the person's identity.
More information on this particular scam can be viewed on the link provided to the original press release below.
I always recommend reporting fraud attempts. At a minimum, it helps get the word out and you never know when it will lead to someone getting caught.
Information about the OIG's fraud hotline can be obtained from the Reporting Fraud section of the OIG's website.Link to SSA press release, here.
Scams using the telephone are nothing new, but with VoIP (Voice over Internet Protocol) technology, the frequency with which they are being seen is increasing. The reason for this is that VoIP has made calling long distance cheap.
Telephone scams using VoIP are often referred to as "vishing." If you are interested in more information on this type of scam, I've written some other posts, which can be seen, here.
Impersonating official agencies is nothing new, either. In the recent past, the IRS, FBI, DOJ, FTC and even Interpol have all been spoofed (impersonated) as part of a fraud scheme involving vishing, or it's sister scam, phishing.
Saturday, June 02, 2007
Criminals scam military families using the Red Cross name
Identity thieves have no honor. They don't care if they steal from our grandparents, or the families of those, who protect all of us by putting themselves in harm's way.
Here is a particularly ghoulish scheme reported on the Red Cross site:
The American Red Cross has learned about a new identity theft scam targeting military families:
Just to set the record straight - the Red Cross doesn't notify family members when this happens!
Not sure, where the identity theft ghouls are getting their lists to target military spouses? The Red Cross stated in their press release that the family member isn't identified by name, but this might have changed by now. Recently, I read a story from the New York Times, where a well known data-broker (InfoUSA) was selling marketing lists of senior citizens, known to gamble on the Internet, to lottery scammers.
I’m guessing that data brokers sell telephone lists to market goods and services to the military, also.
Not only are these blood suckers stealing information to enrich themselves, they are also putting military family members through a lot of personal grief, unnecessarily! Imagine what a call like this does to the family member, who receives it!
Red Cross press release, here.
Red Cross main page, here.
These are people that do a lot of good for other people, when they need it!
Here is a particularly ghoulish scheme reported on the Red Cross site:
The American Red Cross has learned about a new identity theft scam targeting military families:
The caller (young-sounding, American accent) calls a military spouse and identifies herself as a representative from the Red Cross. The caller states that the spouse's husband (not identified by name) was hurt while on duty in Iraq and was medevacuated to a hospital in Germany. The caller stated they couldn't start treatment until paperwork was accomplished, and that in order to start the paperwork they needed the spouse to verify her husband's social security number and date of birth. In this case, the spouse was quick to catch on and she did not provide any information to the caller.
Just to set the record straight - the Red Cross doesn't notify family members when this happens!
Not sure, where the identity theft ghouls are getting their lists to target military spouses? The Red Cross stated in their press release that the family member isn't identified by name, but this might have changed by now. Recently, I read a story from the New York Times, where a well known data-broker (InfoUSA) was selling marketing lists of senior citizens, known to gamble on the Internet, to lottery scammers.
I’m guessing that data brokers sell telephone lists to market goods and services to the military, also.
Not only are these blood suckers stealing information to enrich themselves, they are also putting military family members through a lot of personal grief, unnecessarily! Imagine what a call like this does to the family member, who receives it!
Red Cross press release, here.
Red Cross main page, here.
These are people that do a lot of good for other people, when they need it!
Thursday, April 12, 2007
Sage Predictions on the State of Cyber Crime from McAfee
According to McAfee, cyber crime is growing and as soon as the good guys (white hats) close one loophole, the bad guys (black hats) exploit another.
Unfortunately, technology grows faster than laws and security fixes. Criminals, who are becoming increasingly organized, realize and exploit this fact, frequently.
The report confirms predictions that exploiting VoIP and mobile devices will become more common.
Vishing will probably become more dangerous than phishing - it adds a more personal (voice) touch to tricking people into giving up their personal details. VoIP (cheap long distance) is one of the reasons for this. Since caller-id spoofing is easily available and legal, it makes sense that a lot of people are going to fall victim to vishing attacks.
Also covered is the growth in music and software privacy. Billions of dollars are being lost in both these areas - systems are now being sold with pirated software already installed on them.
To me, this shows how organized, the activity is becoming!
The report also covers RFID technology (quickly becoming commonplace) and how easily it can be exploited. Despite warnings from a lot of concerned experts, we seem to be implementing this technology at a foolish pace (my emphasis).
McAfee deserves recognition for having the courage (there is a lot of money behind RFID technology) to point out the dangers behind this highly profitable, but dangerous (my emphasis), technology.
Enough ranting for the moment, I highly recommend reading the full report, which can be viewed, here.
Unfortunately, technology grows faster than laws and security fixes. Criminals, who are becoming increasingly organized, realize and exploit this fact, frequently.
The report confirms predictions that exploiting VoIP and mobile devices will become more common.
Vishing will probably become more dangerous than phishing - it adds a more personal (voice) touch to tricking people into giving up their personal details. VoIP (cheap long distance) is one of the reasons for this. Since caller-id spoofing is easily available and legal, it makes sense that a lot of people are going to fall victim to vishing attacks.
Also covered is the growth in music and software privacy. Billions of dollars are being lost in both these areas - systems are now being sold with pirated software already installed on them.
To me, this shows how organized, the activity is becoming!
The report also covers RFID technology (quickly becoming commonplace) and how easily it can be exploited. Despite warnings from a lot of concerned experts, we seem to be implementing this technology at a foolish pace (my emphasis).
McAfee deserves recognition for having the courage (there is a lot of money behind RFID technology) to point out the dangers behind this highly profitable, but dangerous (my emphasis), technology.
Enough ranting for the moment, I highly recommend reading the full report, which can be viewed, here.
Friday, March 02, 2007
Bank's Telephone ID Spoofed in Vishing Scam
People in Jefferson City, Missouri are receiving fraudulent telephone calls soliciting their personal and banking information. Even worse, their caller ID reflects that the call is coming from a bank.
A new term (vishing) is being used to describe this kind of fraudulent activity. Scams over the telephone are nothing new, but many experts believe that VoIP technology is making the problem worse.
Michelle Brooks, of the News Tribune is reporting:
More than 1,000 people in the Jefferson City area received a prerecorded phone message Wednesday that sought customer information and claimed to be from “Central Trust Bank”- a name Central Bank does not go by - and, in fact, showed Central Bank's customer service line on caller ID systems.
News Tribune story, here.
Besides stealing from people, a Washington Post story shows how this technology can be used by stalkers and criminals, who are potentially violent (stalkers).
This technology is a favorite of collection and telemarketing types to get people to answer their telephones. Some of the people marketing this technology, claim their intent is to protect privacy.
Of course, some of us believe, that this technology is violating a lot of people's privacy.
One of the most scary examples of this is spoofcard.com. They sell a calling card that not only spoofs the number being called from, but gives their customers the ability to change their voice. The calls are also recorded (accessible by calling a 800 number).
Besides this company, there are many others, that are hawking Caller-ID spoofing. Collection agencies and telemarketing types use the technology to trick people into answering their telephones.
The FTC (Federal Trade Commission) seems to be taking a look at this problem, a list of their press releases on this matter can be viewed, here.
The FCC (Federal Communications Commission) also has a lot of information about the problem on their site, here.
If you are mad about someone doing this to you, the FCC has a complaint form, here.
Isn't it a shame that we constantly see so-called legitimate businesses profiting from technology that victimizes the general population?
Congress needs to work with the FCC and the FTC to pass a law against this abuse!
A new term (vishing) is being used to describe this kind of fraudulent activity. Scams over the telephone are nothing new, but many experts believe that VoIP technology is making the problem worse.
Michelle Brooks, of the News Tribune is reporting:
More than 1,000 people in the Jefferson City area received a prerecorded phone message Wednesday that sought customer information and claimed to be from “Central Trust Bank”- a name Central Bank does not go by - and, in fact, showed Central Bank's customer service line on caller ID systems.
News Tribune story, here.
Besides stealing from people, a Washington Post story shows how this technology can be used by stalkers and criminals, who are potentially violent (stalkers).
This technology is a favorite of collection and telemarketing types to get people to answer their telephones. Some of the people marketing this technology, claim their intent is to protect privacy.
Of course, some of us believe, that this technology is violating a lot of people's privacy.
One of the most scary examples of this is spoofcard.com. They sell a calling card that not only spoofs the number being called from, but gives their customers the ability to change their voice. The calls are also recorded (accessible by calling a 800 number).
Besides this company, there are many others, that are hawking Caller-ID spoofing. Collection agencies and telemarketing types use the technology to trick people into answering their telephones.
The FTC (Federal Trade Commission) seems to be taking a look at this problem, a list of their press releases on this matter can be viewed, here.
The FCC (Federal Communications Commission) also has a lot of information about the problem on their site, here.
If you are mad about someone doing this to you, the FCC has a complaint form, here.
Isn't it a shame that we constantly see so-called legitimate businesses profiting from technology that victimizes the general population?
Congress needs to work with the FCC and the FTC to pass a law against this abuse!
Tuesday, July 18, 2006
Vishing - The New Way to Lose Your Identity
The security media is reporting a new scam called "vishing," ( phishing by telephone). In vishing, a person is called, or directed to call a number and tricked into giving up their personal details. Note that the call might have someone give up information over the telephone, or direct them to a fraudulent website (like they do in phishing). The intent of these (vishing) scams is to steal personal information, which are used in "identity theft" schemes.
Of course using the telephone to rip-off people is nothing new. Telemarketing scams have been around for years.
The lures used to "dupe" innocent people are normally the same ones used in phishing, like telling you an account has been compromised. It's even possible they might already have some of your information (a lot of it has already been compromised) and be trying to get a credit card's CVC code, or obtain a password to an account.
According to a recent BBC article, the recent bouts with "vishing" started with spam e-mails directing someone to call a number, where they would be prompted to give up personal information. The scam has now mutated (they always do) and now people are being called by "autodialers," which dial number after number and leave a recorded message.
The rise in popularity of Voice over Internet Protocol (VoIP) is being cited by security experts as the reason why vishing is becoming a problem. VoIP has made calling long distance cheap, which means that vishing crosses borders; making it hard to trace and or prosecute.
The BBC article also states that it is relatively easy to spoof "caller-id" with VoIP. Security Focus recently did an article that supports this contention. In the article, a hacker easily showed the reporter how it was done.
For anyone unfamiliar with "spoofing caller id," fraudsters aren't the only ones who do it. In fact, many legitimate corporations use "caller id spoofing services" to trick people (my own words) into picking up the telephone.
For a post, I wrote about this, link here.
So far as how to protect yourself from this sort of scam, I would highly recommend that if you receive any telephone calls (or a e-communication to call a number) asking you to "verify" personal, or financial information that you take a "deep breath" before proceeding. Most of us have access to legitimate telephone numbers with places we do business with. The key to protecting yourself is to always verify who you are talking to and make sure they are entitled to the information in question.
And remember that since "vishing" is relatively new, financial institutions might now be the only organizations impersonated. The history of phishing tells us that sometimes government institutions are also impersonated. In the past couple of years, we have seen the IRS and even the FBI impersonated in phishing schemes. As a matter of fact in October, 2005 - I did a post on the Jury Duty Scam - where fraudsters (we might now term as "vishers") were calling up to verify personal information.
Maybe "vishing" isn't as new as we thought it was?
Of course using the telephone to rip-off people is nothing new. Telemarketing scams have been around for years.
The lures used to "dupe" innocent people are normally the same ones used in phishing, like telling you an account has been compromised. It's even possible they might already have some of your information (a lot of it has already been compromised) and be trying to get a credit card's CVC code, or obtain a password to an account.
According to a recent BBC article, the recent bouts with "vishing" started with spam e-mails directing someone to call a number, where they would be prompted to give up personal information. The scam has now mutated (they always do) and now people are being called by "autodialers," which dial number after number and leave a recorded message.
The rise in popularity of Voice over Internet Protocol (VoIP) is being cited by security experts as the reason why vishing is becoming a problem. VoIP has made calling long distance cheap, which means that vishing crosses borders; making it hard to trace and or prosecute.
The BBC article also states that it is relatively easy to spoof "caller-id" with VoIP. Security Focus recently did an article that supports this contention. In the article, a hacker easily showed the reporter how it was done.
For anyone unfamiliar with "spoofing caller id," fraudsters aren't the only ones who do it. In fact, many legitimate corporations use "caller id spoofing services" to trick people (my own words) into picking up the telephone.
For a post, I wrote about this, link here.
So far as how to protect yourself from this sort of scam, I would highly recommend that if you receive any telephone calls (or a e-communication to call a number) asking you to "verify" personal, or financial information that you take a "deep breath" before proceeding. Most of us have access to legitimate telephone numbers with places we do business with. The key to protecting yourself is to always verify who you are talking to and make sure they are entitled to the information in question.
And remember that since "vishing" is relatively new, financial institutions might now be the only organizations impersonated. The history of phishing tells us that sometimes government institutions are also impersonated. In the past couple of years, we have seen the IRS and even the FBI impersonated in phishing schemes. As a matter of fact in October, 2005 - I did a post on the Jury Duty Scam - where fraudsters (we might now term as "vishers") were calling up to verify personal information.
Maybe "vishing" isn't as new as we thought it was?
Friday, April 28, 2006
Using VoIP to Phish for Victims
The world of Internet fraud is a constantly mutating animal. Phishing in particular is a rapidly growing problem and the latest mutation is the use of VoIP (Voice over IP) technology.
Using VoIP technology, the phishermen are luring the innocent into giving up sensitive personal and financial information by impersonating call centers.
Robert McMillan of IDG News Service reports:
Typically phishers email their victims, trying to lure them into revealing sensitive information on bogus websites. But instead of telling victims to click on a Web link, this attack asks users to verity account information on a phony customer support number.
"Part of the danger here is just the fact that it is novel," senior research scientist with Cloudmark, Adam O'Donnell, said. "Most people are pretty comfortable calling to a phone number that they think is their bank's."
Link to story from IDG News, here.
If you happen to see one of these Phishy e-mails, you can report it to the PIRT Phishing Incident Reporting and Termination Squad. This is a new service (volunteer driven) that actively goes after and takes down phishing sites.
Here is a previous post, I did on PIRT.
Subscribe to:
Posts (Atom)
