Vishing: Personalised fraud using technology

Virus attacks are no more just virtual. They now have a voice and are getting more personal.

Imagine this. You receive an e-mail which warns you that your bank or PayPal account has been compromised and immediate action is required.

However, instead of a website link you're cajoled into dialling a phone number where an automated voice message greets you: "Welcome to account verification. Please enter your account number."

Instead of an e-mail you may even get an actual phone call. The caller""who already knows your credit card number, adding to the legitimacy""now asks for the three-digit code on the back of your card.

The content of the incoming message is designed to trigger an impulsive reaction from you. It generally uses upsetting or exciting information; demands an urgent response; or uses a false pretense. If you're gullible, you give in and become a victim.

Hackers are now using a combination of voice over internet protocol (VoIP), SMSs and the Internet to fool and redirect users into dialling a phone number to collect critical information for financial gains. Called vishing (or voice phishing), it differs from phishing wherein users were redirected to a website and literally frightened into parting with financial information.

Phishing-related losses have been estimated at $2.8 billion with a single victim losing $1,244 in 2006, compared with $257 in 2005, according to Gartner.

With six out of 10 banks being phishing targets last year, 'The awareness of phishing has increased amongst users and hence there has been a drop in its success rate," says Vijay Mukhi, president, Foundation of Internet Security and Technology (FIST).

The success of vishing attacks will be greater to phishing, Srikiran Raghavan, regional head, RSA said. He added, "People will be more susceptible to talk to an automated system and feed in confidential information like credit card numbers and other such important information rather than clicking on a website link."

Customers reverting to the false numbers provided by hackers feel a sense of security on hearing the familiar automated response system and thus are more likely to feed in their confidential data.

"This makes banks and financial institutions with automated response systems prime targets for vishing attacks," observes Manish Bansal, regional marketing manager-South East Asia and India, Websense.

The success of vishing lies in its ability to exploit an individual's trust in the landline telephone. According to Wikipedia, the victim is often unaware that VoIP allows for caller ID spoofing.

The first recorded incidents of vishing were recorded in mid-June 2006. Since then, the attacks have been growing at the rate of 0.03 per cent worldwide according to a report released by MessageLabs.

According to Mukhi, this was a phenomenon waiting to happen. Vishing is hard for legal authorities to monitor or trace.

"With VoIP becoming cheap, a vishing attack can originate from anywhere globally even though the number may appear to be a genuine local number, thus making it difficult for authorities to stop the fraud," says Kartik Shahani, sales director, McAfee India.

The only way out is for consumers to be highly suspicious when receiving messages directing them to call and provide credit card or bank numbers.

"Rather than provide any information, the consumer is advised to contact their bank or credit card company directly with numbers provided by the bank on the back of the credit card. Verifying the validity of the message could save the customer a lot of trouble," said Srikiran.

PHONY CONVERSATIONS

The vishing trap

Typically an incoming recorded telephone message uses a spoofed (fraudulent) caller ID matching the identity of a misrepresented organisation

The message uses an urgent pretext to direct unsuspecting users to another telephone number

The victim is invited to punch their personal information on their telephone keypad

Criminals capture the key tones and convert them back to numerical format

Personal information at risk:

Payment cards information (Numbers, Expiry dates and the last three digits printed on the signature panel)

PIN (Personal Identification Number)

Bank account numbers

Passport number

Uses of the information:

Control of your financial accounts

Open new bank accounts

Transfer bank balances

Apply for loans

Credit cards and other goods/services

Luxury purchases

Hide criminal activities

Obtain a passport.

Preventive steps:

As a general rule, be suspicious when receiving any unsolicited incoming communication

Never provide personal information in these circumstances

Never rely solely on your telephone caller ID function