Cell Phones: The New Phish Food
Last year, we started to see cases of voice phishing or "vishing" attacks. That's when bad guys send e-mails urging people to call an automated 1-800 number that prompts callers to enter their credit card data. Now scammers are targeting mobile phone users by luring would-be victims with short text messages - can "tishing" be far behind?
News of this latest twist on phishing comes from Paul and Robin Laudanski, the husband and wife founders of the anti-phishing and security group CastleCops. Robin received a questionable text message on her Verizon mobile phone. It alerted her that she had exceeded her cell-phone plan's allotted number of text messages, and urged her to call a 1-800 number to purchase additional minutes.
The duo called the non-Verizon number. A man -- not an automated system -- answered and asked for her mobile telephone number. They promptly hung up.
When I tried the number yesterday evening, I was redirected to a message with a woman's voice that said: "Thank you for your interest in Verizon Wireless. Our offices are currently closed. Please call back during normal business hours." Robin said she'd alerted federal law enforcement about the scam and confirmed with a Verizon technician that the 800 number did not belong to the phone company.
Obviously this bait could have been made more alluring. The lure in this case used common text-messaging abbreviations and slang, but it is likely that a true text message from your wireless provider would contain complete, grammatically correct sentences.
This kind of attack has the potential to be very effective. My wireless phone is a Treo 650. It converts phone numbers appearing in text messages into clickable links that dial the linked phone number if you click on it anywhere on the phone's touchscreen.
Robin and Paul include some good advice for anyone who receives one of these solicitations: Don't call the number. Robin said she had alerted federal law enforcers about the scam. She also confirmed with a Verizon technician that the 800 number was not affiliated with the phone company.
Much like replying to spam is a bad idea, text message scammers probably found your number randomly. They often use a computer program that blasts their message to all number variations on a given telephone number prefix associated with a mobile provider. A return call to the scammers confirms for them that they pinpointed a working number. It also could increase your chances of receiving other scam messages.
Google the phone number to see if it is a valid 800 number owned by the company in question. When I did a search for this number, it turned up a single hit on an 800 number directory, which said the phone number was registered to a person or business in Maryland. If you determine that the text message contains fraudulent information, don't delete it. Find the official 1-800 number of the company and give them a call to report the fraud. The firm may ask you to forward it to assist in an investigation.
Posted by: twosox | February 10, 2007 9:31 AM | Report abuse
Posted by: Bredd | February 16, 2007 5:01 AM | Report abuse
The comments to this entry are closed.