Jon Swartz
USA Today
SAN FRANCISCO — And consumers thought they were safe by not clicking on links in unsolicited e-mails.
Now comes a new batch of phishing scams that rely on an old tool — the phone — to trick people into giving away their personal information.
Vishing — short for voice phishing — is one of the latest iterations of phishing, a long-running e-mail scam that instructs recipients to click a link in the e-mail to confirm data such as their Social Security number and credit card number. But the link is really connected to a bogus website where the data are stolen.
Vishing has emerged as a new threat with the rise of Voice over Internet Protocol, technology that allows cheap and anonymous Internet calls.
The new batch of e-mails appear to come from PayPal, eBay’s online payment service, and — like most phishing e-mails — they warn the recipients about a problem with their account. An e-mail advises victims to call a number to verify basic data. But the number is actually recording data with the intent to steal it. The information often winds up on cybercrime forums, websites that function as digital marketplaces for stolen personal data.
Some vishing attacks don’t even begin with an e-mail. They come as calls out of the blue in which the caller already knows the recipient’s credit card number, and asks for the three-digit security code on the back of the card.
“Hackers are moving away from the Web and using something victims are more comfortable with: making a call,” said Paul Henry, vice president of technology evangelism at Secure Computing. “Consumers are programmed to enter in information on the phone. It’s a natural evolution of phishing.”
In the ruthless world of phishing, there is no shortage of sophisticated ruses for pulling a digital fast one on consumers.
Consider:
•Phishing-related losses to date are $2.8 billion, market researcher Gartner says. Victims, on average, lost $1,244 this year, compared with $257 in 2005.
•Six out of 10 banks were phishing targets in the year that ended in October, according to a Gartner survey of 50 top U.S. banks. The frequency of the attacks underscores the concern that anti-phishing measures at financial institutions and other large companies are not entirely up to snuff, Gartner analyst Avivah Litan says.
•Symantec detected 157,477 unique phishing messages in the first half of 2006, up 81% from the last six months of 2005. Home PCs were targets of 86% of security threats in the first six months of 2006, according to the Symantec report.
Incidents have soared as attacks become more sophisticated and evolve every few months, says Dennis Maicon, executive vice president of financial-services solutions at computer-security firm Digital Resolve.
And the victims are no longer just the usual targets, including customers of AOL, eBay, PayPal, Citibank and Bank of America.
Early this year, phishers began preying on customers of regional banks and credit unions.
“As large banks improve their computer defenses, phishers are moving downstream to smaller banks that don’t have the same level of security,” says George Tubin, a senior analyst at researcher TowerGroup.
The deceptive e-mail messages and websites have also gotten much craftier. One recent phishing attempt actually warned customers about phishing and asked them to update their information for security reasons. To assure wary users, the legitimate 800 phone number of a targeted company was included in the e-mail.
In others, customer names and addresses routinely appear. Previously, scams were addressed to “Dear valued (company name) member.”
“This is slick stuff,” says Ron O’Brien, senior security analyst at computer-security firm Sophos. “But as long as it works, expect more.”