Network News

X My Profile
View More Activity

'Vishing': Dialing for Dollars

Long before e-mail and phishing scams, criminals were using public telephone networks to trick people into giving away their financial and personal information. Last week, security experts spotted another sign that crooks are finding success in scams that marry new and old technologies.

Most phishing scams start with an e-mail that for one reason or another instructs recipients to "update" their account information by entering personal and financial data at a (counterfeit) Web site linked to in the message. An e-mail scam spotted last week by online security vendor WebSense and the folks at CastleCops directs recipients to dial an 800 number, where a recording requests that callers enter their bank account number using a touch-tone phone. You can read more about this scam here. WebSense also has recorded a .wav file of the message.

With the growth of VoIP and Internet-based telephony services that make it easier for callers to mask their identity and location (including caller ID spoofing services), I'd look for these types of scams to become even more prevalent.

Last month, I spoke with Lynn Goodendorf, vice president of privacy for InterContinental Hotels Group PLC. She told me about a scam that has apparently become quite common in the Atlanta area (and probably other U.S. cities) where crooks call someone and pretend to be from the local clerk of the court's office, asking why the person failed to respond to a jury summons. Ignoring a jury summons can result in a judge issuing a bench warrant for your arrest, but in this scam the callers say the problem can probably be straightened out if the person provides his or her name, Social Security Number and other personal data.

"This scam works because it really throws people off balance or into a panic," Goodendorf said. Imagine the panic that sets in after you fork over your information to one of these low-lifes.

By Brian Krebs  |  June 26, 2006; 3:18 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Security Update Available for Winamp
Next: The Scoop on the m00p Group

Comments

There is even another possibility Brian. The old foreign call back scam. It the modern age it would take the form of an email from some authority telling you to call a number to clear up some important matter. You call the number and are apparently put on hold or the receiver is set down. You hear authentic background noises. All the time your phone bill is racking up dollars per minute!

-Stiennon

Posted by: Stiennon | June 26, 2006 8:04 PM | Report abuse

>>Ignoring a jury summons can result in a judge issuing a bench warrant for your arrest,

"What jury summons?"
http://www.karendecoster.com/blog/archives/001120.html

Posted by: Mark Odell | June 26, 2006 9:50 PM | Report abuse

Mark -- Haha. That's a riot. That's just asking for trouble admitting that in a blog. Thanks for the pointer.

Posted by: Bk | June 27, 2006 9:05 AM | Report abuse

I will be speaking on this exact topic at the upcoming Blackhat Las Vegas:

http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Schulman

After listening to the WAV file, these are poor imitations using a text-to-speech converter. As people get more advanced attacks, these will get much harder to combat.

Posted by: Jay Schulman | June 27, 2006 10:33 AM | Report abuse

Yikes! I followed the Black Hat link above and was amazed (OK, I'm naive!) at the extent of exploits and the resources amassed to counter them (thank heavens!). Hopefully, not too many baddies attend this event.

Posted by: Pete from Arlington | June 27, 2006 11:22 AM | Report abuse

I got a call from bankcard services stating that I could get a lower rate, Is this another scam? No bank named, just to call. hmmmm...besides the I won the lottery scams, how many more are out there????????

Posted by: joyce | June 27, 2006 12:20 PM | Report abuse

Brian,

>>That's just asking for trouble admitting that in a blog.

How so?

Posted by: Mark Odell | June 27, 2006 12:59 PM | Report abuse

In my experience courts send:
A. Good old-fashioned paper based threats [or as our friends in the law refer to them summons].
B. Strapping, great gorillas in some species of uniform.
They tend not to phone you up 'to clear things up'.
A nice scam we have running in the UK goes like this. Genuine employees of one of our many utilities come to your house asking for your account details, and if you are stupid enough to supply them [the British hate to say 'no' to someone with a badge, even a cheap plastic ID. They then swap your account from your original utility to their own company.
We need to get the message across that even seemingly trivial personal data is personal property, not corporate or government's. To quote [I believe] Barbara Bush, 'Just say no!'

Posted by: Sim | June 28, 2006 11:38 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company