In a classic phishing scheme, criminals try to dupe consumers into revealing personal information about themselves using fraudulent emails. Victims receive email purporting to be sent by a financial institution, or a prominent business (eBay is a frequent target, for example). Within the email are links to various websites, including valid links to the financial institutions web site, and links to the fraud artist’s web site, which is designed to be identical to the users financial institutions site. When users “log in” to the false website, their login credentials are captured and can then be used by the criminals.
An emerging variation on the phishing attack is voice phishing — the use of a voice response system instead of a web site to dupe the unsuspecting consumer. Typically the crooks make a series of calls to the institution (such as a bank) that they’re pretending to be, and record all of the prompts that the bank uses. They then construct an identical voice response system using a cheap telecom platform like the Open Source Asterisk platform.
Victims are sent either an email asking them to call an 800 number, or they receive a recorded message from the business that they patronize asking them to call an 800 number. The reason given is usually “to discuss your account”, or some such. Then when the call is made, the victim may be instructed to enter credit card information into the telephone in order to “update your account”. Very sophisticated criminals may answer the phone and ask the usual questions – name, address, date of birth, social security number – to confirm identity, and then ask for the credit card number. In either case, unsuspecting consumers expose themselves to identity theft.
The FBI has noted that criminal use of phone systems, and in particular phishing attacks, is on the rise. January 17th, 2008 they took the step of issuing a consumer warning about these kinds of attacks, instructing consumers about how to protect themselves.
Despite this, major American corporations such as AT&T and American Express are beginning to adopt the same technologies as a means to contain costs. AT&T, for example, often uses an autodialer to call customers, and instructs them to call an 800 number to speak with a representative “about an important issue concerning your account”. The tactics that these corporations employ are identical to those that criminals employee. Whether through negligence, or simply a misunderstanding of the issue, corporate America is conditioning their customers to become victims of these scams.
This morning's call was to discuss this issue. On the recording you can hear representatives from BT, the VoIP Security Alliance, and the usual group of opinionated commentators. Notably missing was AT&T who declined to attend, as they didn't feel it was an issue they were facing.
In addition to the recording, I've also assembled some other resources that you may find useful.
- A short printable document that describes voice phishing schemes, and how to protect yourself from them. Feel free to forward this to friends and family.
- For US residents, if you would like to know the latest FBI recommendations, please visit www.ic3.gov. In Canada, visit www.phonebusters.com.
- US Consumer Fraud statistics, as collected by the FTC. Canadian statistics, as collected by PhoneBusters.