Geez. How many more ‘ish’es are there?
A few weeks ago I told you about phishing and smishing. I thought there would be no more ‘ish’es.
I was wrong.
Now, ladies and gentlemen, for your security scam reading pleasure, I present: Vishing.
Basically, vishing (derived from a combination of “voice” and “phishing.”) has the same intent that phishing (and smishing) does, but it takes the form of landline phones to try and scam you into revealing personal information such as your credit card number, your social security number, your bank account number, your PIN number, etc. You know the calls you get that display an unknown number on your caller ID? They can be from any area code, an 800 number, whatever. And they can be a source of a vishing attempt.
There are a few different ways to “vish”. Here are a couple of examples.
Scenario number 1:
You go out to dinner, and when you come home you check your voice mail to see if anybody called. You play your voice mail and this is the message:
“Hello, this is Mary at ABC Electric Company. I am calling you to confirm the schedule of closing your account. At the present time, all power to your address will be terminated tomorrow morning, June 8, at 8:00 AM. Our records indicate that you have a past due balance. Please call customer support at 1-800-1111 to arrange for final bill payment.”
Of course you have no intention of closing your account, and you pretty much freak out and grab the phone. You call the phone number given in the message and ABC Electric Company comes on, giving you an automated way to avoid the closure of your account. You are asked to put in your social security number and the credit card number on your account to verify that you are indeed the person responsible for your account. After you punch in both numbers, the line goes dead. You are now the victim of a Vishing attack.
You’re watching TV in your living room at 8:00 in the evening and the phone rings. You check your caller ID and it is your bank. You pick up the phone.
“Hello, this is ABC bank. In the past hour there have been three unsuccessful attempts to access your account. To secure your accounts and protect your private information, ABC bank has locked your account. We are committed to making sure that your online transactions are secure. Please call our Security department at 1-800-Blah-Blah-Blah.”
Of course you have not made “three unsuccessful attempts to access your account in the past hour”; you have been sitting in your living room watching reruns of MASH. You hang up, panicky, call the bank, and you are greeted with something like this:
“Thank you for calling ABC bank. Your call is important to us. To help direct you to the appropriate department, please listen to the following, as our menu options have changed.”
• For Checking or Savings, press 1.
• To activate a debit card, press 2.
• To place a stop payment on a check, press 3.
• To be connected to a department, press 4.
• For all other inquiries, press 0.
You press 4 and the automated system instructs you to identify yourself.
“The security of our customers is important to us. To proceed further, we require that you authenticate your identity before proceeding. Please type your bank account number, followed by the pound sign.”
You enter your bank account number and hear the next prompt:
“Thank you. Now please type your Social Security number, followed by the pound sign.”
You enter your Social Security number and again receive a prompt from the automated system:
“Thank you. Now please type your PIN, followed by the pound sign.” You enter your PIN and hear the next prompt:
“Thank you. We will now transfer you to the appropriate department.” The line will go dead or – even worse – you will be transferred to the real ABC bank, talk to an agent, and find out that you have become a victim of a vishing attack.
So how is all of this done? Can’t they just trace the calls?
When you were a kid, did you ever make prank phone calls? (“Do you have Prince Albert in a can? <Yes> Then you better let him out!”)The thing that was different about then and now is that in the “old” days, a phone call started and stopped at a physical place (a building, a house, etc.) that the telephone company knew about, thereby enabling them to trace the call back to a specific bill payer. Vishing attacks are much harder to trace, because they use VoIP  (Voice over Internet Protocol), which means starting and ending a call on a computer that can be located anywhere in the world.
And how does your electric company or bank come up on your caller ID when it’s from an attacker? They “spoof ” it. There are companies out there, like Spoofcard, that allow you to “spoof” your number so that whoever you’re calling doesn’t know that it’s you, and you can put in any number you that you want displayed. Knowing this, it is no surprise that vishing attacks can look perfectly legitimate on a person’s Caller ID. Check out the website for the legalities of “spoofing” your number – sometimes it’s legal, sometimes it’s not. (Google it! You, too, can spoof your number if you want to.)
Protecting yourself from a vishing attack is pretty easy.
#1: Never call the number given to you or on your Caller ID (unless it’s a number from a friend, relative, etc.). I know it’s a pain, but take the time to look up the legitimate number and then call it. A bank or a credit card company can tell right away if there is any problem that they have tried to contact you for.
#2: Never give out any personal information – to anyone! This actually goes for any type of request for personal information. Just an FYI: Legitimate companies do not ask for your social security number – ever!
#3: Try to remember to check the address in the address bar; if ABC bank is writing to you and you see http://www.joephisher.com in the address bar, then you know it’s not legitimate.
In re-reading my original (phishing) article, I realized that I needed to clarify something for you. The term phishing is no longer used just for e-mail scams. It is the generic term for any type of scam that falsely claims to be a legitimate business in an attempt to entice a victim into giving up personal information that will be used for identity theft. Smishing and vishing are two different examples of phishing. Phishing is perhaps the most commonly exploited threat currently plaguing the Internet and its users.
Whew. I think that’s enough, don’t you? Just don’t open any e-mails, click on any links, make any calls, believe any voice mail asking you to make a certain call to a certain number, or text anybody and you should be good to go.
Happy communicating this week!
~ Lori Cline