Saturday, February 23, 2008

It appears that major corporations, like AT&T and AMEX, are using the same techniques as phone phishing scammers to contact customers.  On Monday, this will be the topic of the SquawkBox call. With telephony security experts, we’ll be discussing phone phishing, and how the latest actions by major corporations – AT&T and AMEX to name two – are exposing consumers to phone fraud.

So what is phone phishing? 

In a phone phishing scam crooks typically pose as a trusted consumer entity, such as a phone company or  a bank.  Using an autodialer, they leave messages on potential victims phones asking the victim to call an 800 number for “an important message regarding your AT&T account”.  When the victim calls the number, the crook, posing as a legitimate representative of the corporation, entices personal information such as credit card and social security information from the unsuspecting caller in order to “update your account”, or “cover a past due bill”.

Recently the FBI has been warning consumers about these schemes.  For instance, on January 18th, the Internet Crime Complaint Center (a joint venture between the FBI and the National While Collar Crime Center) published this advisory http://www.ic3.gov/media/2008/080117.htm warning that these types of attacks are on the rise. In particular, this advisory warns consumers as follows:

“Recipients are directed to contact their bank via telephone number provided in the e-mail or by an automated recording. Upon calling the telephone number, the recipient is greeted with "Welcome to the bank of …" and then requested to enter their card number in order to resolve a pending security issue.”

“If you have a question concerning your account or credit/debit card, you should contact your bank using a telephone number obtained independently such as; from your statement, a telephone book, or another independent means.”

Despite the increase in voice phishing fraud and FBI warnings, both AT&T and AMEX have recently rolled out auto-dialer systems that are indistinguishable from fraudsters systems. I've personally been contacted by them, and other folks I know have been as well. In taking these steps, these trusted institutions are desensitizing consumers to the risks of fraud and needlessly conditioning consumers to become easy victims of these kinds of attacks.

On Monday, we will discuss:

  1. The types of attacks that consumers may be subject to.
  2. The steps consumers should take in order to protect themselves from these attacks.
  3. The steps consumers should take if they believe that they have been defrauded.
  4. Steps consumers can take to raise the awareness of this issue with the businesses that they patronize.
  5. Steps businesses can take to protect their customers from this kind of fraud.

When contacted by me to participate in this podcast, representatives from AT&T declined, stating “it hasn't been an issue for AT&T, so we won't have anything to offer for your podcast.”  To me, that was a remarkable dismissal of a very very serious issue.

Other links of interest on this topic:

Bloggers commenting about this call: Oliver Starr, Dameon Welch-Abernathy 

{ 1 comment }

Alec on LinkedIn Alec on Twitter Alec on Facebook Calliflower on Youtube RSS Feed Contact me