Networking

Does VoIP make it easier for scammers?


If you're considering switching from the traditional public switched telephone network (PSTN) service to VoIP, you might be wondering whether the change will make you more vulnerable to scammers, help protect you from common scams, or not make much difference at all.

Con games are about as old as human history; there will always be people around who attempt to use deception to persuade others to do something -- often, to give them money or something else of value. In today's electronic world, that something else may be passwords used to access various accounts at financial institutions, etc., or it might be credit card numbers and similar information used to obtain goods and charge them to someone else.

Most jurisdictions have fairly broad laws against fraud that cover both in-person and online scams, and many are now enacting legislation to deal specifically with the types of fraudulent schemes commonly perpetrated over the Internet. How much of a threat is VoIP? Let's take a look.

VoIP phishing: Vishing

Phishing is one of the biggest problems facing computer users today. The traditional form of phishing involves sending e-mail messages with links that direct unsuspecting users to Web sites designed to look like the sites of legitimate companies, where those users are conned into entering their personal information. The scammer who owns the site can then collect the data and use that information to access the victim's accounts or steal his or her identity and open new accounts in his or her name.

What does all this have to do with VoIP? Scams are steadily growing more sophisticated, and many of today's scammers incorporate telephony into their con games. That's because security specialists and law enforcement representatives have begun to warn the public against responding to e-mail messages or entering sensitive information into Web forms. They advise using the telephone instead -- to verify that you're really dealing with the entity you think you're dealing with.

But scammers are good at staying a step ahead. Thus, a new threat is emerging on the horizon: Vishing, short for VoIP phishing. It's a variation of the phishing scam that uses VoIP to exploit this advice that many people are getting to use the phone when communicating sensitive information.

Why VoIP is vulnerable

The problem is that with VoIP now widespread, scammers can use VoIP lines to set up sophisticated automated systems that appear to the caller to be the kind of system they would encounter when calling a large company. And these scammers can do it without needing much equipment, personnel, or money. Low or no-cost IP PBX software such as Asterisk allows them to do this easily.

VoIP phone numbers look just like any landline number, so callers can't easily tell that they're dialing a VoIP number rather than a landline. And you can get a VoIP number with an area code in a completely different geographic location from your own physical location. It's also easy for technically-savvy scammers to engage in caller-ID spoofing, so the victim doesn't even see the scammer's real VoIP number on the caller ID display.

After setting up the VoIP system, the scammer includes the phone number to call when asking victims to "verify account information," rather than asking them to provide their information on a Web site. Having a phone number to call reassures victims, making them believe in the legitimacy of the request.

They call the number and connect to an automated voice mail menu system that resembles that of a large company, which further reassures them. Then they give out their addresses, phone numbers, social security numbers, bank account numbers and all kinds of other personal information that they would be reluctant to send over the Internet.

The scammer usually uses some sort of automated recording or computerized speech synthesizer to create messages (such as a warning that the user's account has had suspected fraudulent activity), and they often instruct users to enter their credit card number via the telephone keypad, rather than allowing them to talk to a real person. Unfortunately, we're all so used to big companies doing business this way that it doesn't arouse many suspicions.

Speech synthesis might seem like a highly sophisticated and expensive feature, but don't let that fool you. In fact, scammers can use free programs such as Festival in conjunction with free IP PBX software such as Asterisk.

Because of the low cost of sophisticated software that runs on standard computer equipment and because of the flexibility and features that make VoIP desirable for individuals and businesses in comparison to PSTN, it's also attractive to those with ulterior motives.

On the other hand

But there's a flip side to this coin. If you use VoIP yourself, those same user-friendly features can help give you some limited protection against the scammers. Just as it's more difficult for you to determine their numbers via caller ID, it can be more difficult for them to determine yours.

Deb Shinder is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. She currently specializes in security issues and Microsoft products, and she has received Microsoft's Most Valuable Professional (MVP) status in Windows Server Security.

Want more tips and tricks to help you plan or optimize your VoIP deployment? Automatically sign up for our free VoIP newsletter, delivered each Monday!

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

8 comments
judy.shapiro
judy.shapiro

I am less worried about scammers as I am about the reliability of the service provider!!!! I am really trying to find a VoIP provider who has been around and won't have trouble like Sunrockert or Vonage. Anyone have a suggestion -- the only one I came up with that meets the criteria is Net2phone. Am I crazy to still want VoIp?

colin.hempsey
colin.hempsey

It doesn't really matter as PSTN networks are preparing to switch over to VOIP networks. Take British Telecomms 21CN for example.

tonyfriendly
tonyfriendly

Very poor article,useless waste of bandwith.

NickNielsen
NickNielsen

Anybody with half a lick of common sense won't get caught. If I get a message purporting to be from my financial institution, I will use the regular, [b]known[/b], number to contact that institution and not the number in the message/pitch. Even better, when possible, just eliminate the telephone or email entirely and visit your local branch.

brianmilke
brianmilke

Sounds like making it a policy to talk to a CSA only, and not inputting your personal information following voice prompts would be the safest way to avoid this kind of trouble. Question is, how do you get to a real person?

benwaystudios
benwaystudios

I was looking for some of the actual "fight-back" methods.

matthew.conquergood
matthew.conquergood

I rarely - if ever - comment on websites, but your post starts off with a title asking whether VoIP makes "it" easier for scammers. You then open the post by saying: "If you?re considering switching from the traditional public switched telephone network (PSTN) service to VoIP, you might be wondering whether the change will make you more vulnerable to scammers, help protect you from common scams, or not make much difference at all." Although you (half) answered this question in the last two sentences of the post, your post is actually dedicated to something different. Please title your posts with something more clear, and then, if you open the post with an explanation of what you're trying to discuss, please actually discuss it, rather than filling our blog-reading time with garbage unrelated to the subject matter. This post was really, really weak. Poor content, poor editing, poorly thought out.

melvins-12449368
melvins-12449368

Judy I have been using Voicepulse (VoIP Provider) for years and are excellent both in service and in tech support. They have two buttons to push when you call, 1 is for "Billing" and 2 is for "Support" Thats it. And you usually get support within a couple of rings and I have never waited more than a couple of minutes for someone to help me. They have multitudes of extras, and also if you are having difficulties with bandwidth, they have a bandwidth adjustment that you can make on their website to suit your needs from low to high. Currently my plan is local plus 200 minutes of LD for $14.99 per month. What makes this plan unique is that the local calling area (LCA) is expanded to include other area codes which the PSTN (Sprint)aka (Embarq) did not. Features include a block for anonymous callers as well as a block for known marketers. Also your phone number is not available in phone books etc. for marketers to search for. Emergency 911 is available as well. Check it out at www.voicepulse.com. I think you will find it interesting.