Software

Beware of vishing attacks via e-mail

The Internet Crime Complaint Center has issued a warning on the rise of vishing attacks, which is like phishing in that the attacks are propagated through e-mail, but there's a difference.

The Internet Crime Complaint Center has issued a warning on the rise of vishing attacks, which is like phishing in that the attacks are propagated through e-mail, but there's a difference.

An excerpt from the IC3 site:

Vishing operates like phishing by persuading consumers to divulge their Personally Identifiable Information (PII), claiming their account was suspended, deactivated, or terminated. Recipients are directed to contact their bank via telephone number provided in the e-mail or by an automated recording. Upon calling the telephone number, the recipient is greeted with "Welcome to the bank of ..." and then requested to enter their card number in order to resolve a pending security issue.

The attack is supposedly more effective, since it tends to put the victim at ease by claims such as "No confidential information is expected by e-mail."

More information:

FBI warns of "alarming" rise in vishing attacks (PC Pro)

FBI warns of "vishing" attacks (VNUnet)

"Vishing" attacks on the rise (IDM)

10 comments
Tig2
Tig2

You got an email, open a browser and look up your bank's number using yellow pages. Call the number that your browser returns. Trust no one. Or at least that is what is printed on my coffee cup.

suemccartin
suemccartin

Big duh, you don't check the number on the back of the card and make sure it matches? I guess Ringling was right that there's a sucker born every minute, just like I can't believe anyone falls for the nigerian scam either.

anne.sullivan
anne.sullivan

I used to have a capital one card, but got tired of them calling every 3 months and leaving a message from their security department and telling me to call a phone number to confirm a purchase. When I called, I got a recorded voice telling me to enter my credit card number, and the number did not match anything on my credit card or bill. Needless to say, I did NOT enter my credit card number and waited for them to call me again. After several complaints, they never changed their lame, easily copied procedures so I cancelled the card. If their security guys think that is a good way to work, they are the same kinds of idiots that would fall for this.

JCitizen
JCitizen

and since it was so carefully crafted I decided to contact the "real" Citizen's Bank in Denver to warn them of the fraud. I used their HTML email not mine. After I did this the vishing emails suddenly changed warning their users of the emails but wanting them to click a link in the email non-the-less. So either it was in inside job(unlikely), or Google doesn't have the link for the legitimate branch of this bank and is an unwitting accomplice to this(unlikely), or the actual bank is dumb enough to send out stupid email like this in the first place.(who knows?) So I sent one of them to the FTC and the SEC. I doubt anything will ever come of it unfortunately.

tjbud
tjbud

It was P.T. Barnum who said it ...

dayne
dayne

The number on the back of your card is usually customer service (general) or ATM/credit automated information. Your bank's fraud/security number is not only not the same, it's often quite different. In all of my banks' communication with me I've yet to get a phone number that is the same as what's on my debit card...just FYI. Now the Nigerian scam isn't exactly on the same playing field......

John.Lewis2
John.Lewis2

I would imagine the smartest thing to do is call the number on the back of the card or another known bank number before calling the number in the email. Ask your bank about the new number and verify if it belongs to them, if not let them know about it.

Absolutely
Absolutely

The smartest thing is to do ALL banking in person.

Editor's Picks