Your phone may be under attack

Demonstrating how well live vishing calls can work, Jim Stickley, the chief technology officer for TraceSecurity, a security compliance software firm, has used his own version of the scam on bank workers.

Hired by bank executives to perform security assessments, his team pilfers customers' phone numbers and e-mail addresses from unshredded papers and sticky notes thrown away by employees. He then poses as a bank employee and leaves messages on the answering machines of customers during business hours. The message would claim that while working with the customer's account, an anomaly was discovered.

He uses the e-mail addresses to send out a message urging customers to call an 800 number, even providing a bogus reference ID number to make the message appear legitimate. When someone dials the 800 number, the call forwards to his cell phone. He then asks for the reference ID number and the person's name, account number and Social Security number -- for "security verification purposes," no less. "They'll give you anything you want at that point," he says.

Customers then are told their account was now processing.

Asked whether the calls were generally successful, he says, "It works every time they call back."

How to protect yourself

Though most vishing scams don't use the personal approach, Stickley says you should distrust the number on the caller ID or the number left in suspicious phone messages. Caller ID systems can be hacked to say anything, and VoIP providers let you assign any area code to a phone number. "Use the number on the back of your cards," he says. "If the call was legitimate, the bank would know that number, too."

As someone who has made many believable vishing calls, he recommends just hanging up if someone who claims to be from your bank calls. Again, contact your bank using the number from your bank card and ask them about the call.

Don't attempt to verify the call by asking for your account number. The scammer may already have it, says Paul Henry, vice president of strategic accounts for Secure Computing. Better to politely end the call. Otherwise, you could surrender vital information to con artists.

Armed with your personal financial details, scammers can do a number of things, says FBI spokesman Paul Bresson. They can commit identity theft, make purchases in your name, apply for a loan or trade your data with other scammers. In other words, guard this information as if you were guarding the Holy Grail.

Even though banks and creditors do use e-mail and phone to communicate with customers, they don't employ these tricks.

Take action

If you receive what you think is a vishing e-mail or phone call, call your bank or creditor, using the number on your card and ask if they tried to contact you.

If you find out your bank, creditor or escrow service didn't contact you, notify them, as well as the Internet Crime Complaint Center and the Federal Trade Commission. Forward the e-mail to spam@uce.gov. Visit the FTC's identity theft Web site if you've responded to a vishing e-mail.

E-mails spoofing PayPal should get sent to spoof@paypal.com. This article was written and reported by Leslie Hunt for Bankrate.com.

Updated Feb. 5, 2009

< previous |  1 | 2 |