| New scam to vatch for: vishing |
|
|
A caller ID device may even list a legitimate-looking
local number. But caller ID information can't be trusted. "The phone
number may not even relate to the locale of the call being made,"
says Ronald O'Brien, a senior security analyst with Internet security
firm Sophos.
If you receive such a call, hang up immediately. Banks don't use prerecorded messages when they need to contact you for security reasons. If a problem occurred, you'd get a real person who'd say they were calling from the fraud control department, says O'Brien.
Live scammer on line 1
Unfortunately, some real people who are criminals have started calling victims. In Wisconsin, some of the telecommunications customers of TDS Telecom and AT&T have received live phone calls from scammers claiming to work for one of the companies -- sometimes claiming that AT&T had merged with TDS. Customers were told they qualify for a discount of 35 percent off their long distance accounts. All they had to do to score the discount was verify their contact information, mother's maiden name and other identifiers.
Luckily the scammers didn't get very far. According to DeAnne Boegli, manager of public relations for TDS, she knows of no one so far who has given out financial information.
While customers might receive promotional calls from the company occasionally, she said they wouldn't ask for identifying information because the company already has it on record.
Demonstrating how well live vishing calls can work, Jim Stickley,
chief technology officer and "social engineer" with TraceSecurity,
a security compliance software firm, has used his own version of
the scam on bank workers for the past two years.
Hired by bank executives to perform security assessments, his team pilfers customers' phone numbers and e-mail addresses from unshredded papers and sticky notes thrown away by employees. He then poses as a bank employee and leaves messages on the answering machines of customers during business hours. The message would claim that while working with the customer's account, an anomaly was discovered.
He uses the e-mail addresses to send out an e-mail with a similar message and directs them to call an 800 number, even providing a bogus reference ID number to make the message appear legitimate. When someone dials the 800 number, the call forwards to his cell phone. He then asks for the reference ID number, their name, account number and Social Security number -- for "security verification purposes," no less. "They'll give you anything you want at that point," he says.
Customers then are told their account was now processing.
Asked whether the calls were generally successful, he says: "It works every time they call back."
How to protect yourself
Though most vishing scams don't use the personal approach, Stickley
says you should distrust the number on the caller ID or the number
left in suspicious phone messages. Caller ID systems can be hacked
to say anything and VoIP providers let you assign any area code
to a phone number. "Use the number on the back of your cards,"
he says. "If the call was legitimate, the bank would know that
number, too." |
