Your phone may be under attack

Your phone may be under attack. Increasingly sophisticated scammers are finding ways to use your phone to invade your privacy and steal your personal. If you receive an e-mail telling you to verify your bank account immediately by calling a number, watch out. You may be dialing a scammer.

It's a twist on the phishing scams that began in 2003. In the most common form, a phishing con begins with a bogus e-mail designed to look like it came from a financial institution. It's sent out en masse and includes a link to a fraudulent Web site designed to steal financial information. Victims click on the link and fill in their account numbers, and away go the thieves.

Law enforcement calls the new con "vishing" -- voice phishing.

It's made possible by use of voice-over-Internet-protocol (VoIP) phones, which allow users to set up new phone numbers quickly with any area code. In some cases, fraudsters skip e-mail altogether and "cold call" consumers -- phoning at random for financial information. Some calls involve automated messages; some calls are live.

'Welcome to account verification'

Take the case of Santa Barbara Bank and Trust customers, who were told in an e-mail that their online accounts had been disabled due to unauthorized access attempts. They were given a local California number to call. Those who did were prompted to provide account information.

Customers of the online money-transfer service PayPal experienced a similar attack a month after the Santa Barbara scam. In an e-mail claiming that the customer's PayPal account had been compromised, victims were directed to dial an 805-area-code number that simply said: "Welcome to account verification. Please type your 16-digit card number."

PayPal spokeswoman Sara Bettencourt says PayPal would never send e-mails to customers if accounts were compromised, nor ask them to follow a link or call a number in response to an e-mail. They would call customers if an account was compromised, not have customers dial into an automated message that asked for credit card numbers.

Typically scammers push these e-mails out shotgun-style, hoping to hit at least some people who would find the message relevant. Bettencourt says that the names of well-known banks and companies often get targeted for this reason, as many of the people contacted likely hold accounts.

Cold-call vishing

Another form of vishing skips right to the phone call. Again, masses of people are contacted randomly via an automated dialing program, also known as a war dialer. Victims who answer the phone will hear a recorded message claiming their account has been compromised or needs updating or verification. They are then prompted to enter account information or credit card numbers.

In either case, anything typed into the phone gets digitally translated onto the hard drive of the scammer's computer the same way banking voice-mail systems translate vocal or typed information.

A caller ID device may even list a legitimate-looking local number. But caller ID information can't be trusted. "The phone number may not even relate to the locale of the call being made," says Ronald O'Brien, a senior security analyst with Internet security firm Sophos.

If you receive such a call, hang up immediately. Banks don't use recorded messages when they need to contact you for security reasons. If a problem occurred, you'd get a real person who'd say he or she was calling from the fraud-control department, O'Brien says.

Demonstrating how well live vishing calls can work, Jim Stickley, the chief technology officer for TraceSecurity, a security compliance software firm, has used his own version of the scam on bank workers.

Hired by bank executives to perform security assessments, his team pilfers customers' phone numbers and e-mail addresses from unshredded papers and sticky notes thrown away by employees. He then poses as a bank employee and leaves messages on the answering machines of customers during business hours. The message would claim that while working with the customer's account, an anomaly was discovered.

He uses the e-mail addresses to send out a message urging customers to call an 800 number, even providing a bogus reference ID number to make the message appear legitimate. When someone dials the 800 number, the call forwards to his cell phone. He then asks for the reference ID number and the person's name, account number and Social Security number -- for "security verification purposes," no less. "They'll give you anything you want at that point," he says.

Customers then are told their account was now processing.

Asked whether the calls were generally successful, he says, "It works every time they call back."

How to protect yourself

Though most vishing scams don't use the personal approach, Stickley says you should distrust the number on the caller ID or the number left in suspicious phone messages. Caller ID systems can be hacked to say anything, and VoIP providers let you assign any area code to a phone number. "Use the number on the back of your cards," he says. "If the call was legitimate, the bank would know that number, too."

As someone who has made many believable vishing calls, he recommends just hanging up if someone who claims to be from your bank calls. Again, contact your bank using the number from your bank card and ask them about the call.

Don't attempt to verify the call by asking for your account number. The scammer may already have it, says Paul Henry, vice president of strategic accounts for Secure Computing. Better to politely end the call. Otherwise, you could surrender vital information to con artists.

Armed with your personal financial details, scammers can do a number of things, says FBI spokesman Paul Bresson. They can commit identity theft, make purchases in your name, apply for a loan or trade your data with other scammers. In other words, guard this information as if you were guarding the Holy Grail.

Even though banks and creditors do use e-mail and phone to communicate with customers, they don't employ these tricks.

Take action

If you receive what you think is a vishing e-mail or phone call, call your bank or creditor, using the number on your card and ask if they tried to contact you.

If you find out your bank, creditor or escrow service didn't contact you, notify them, as well as the Internet Crime Complaint Center and the Federal Trade Commission. Forward the e-mail to spam@uce.gov. Visit the FTC's identity theft Web site if you've responded to a vishing e-mail. ( masn.com )

Other Article's