Does VoIP make it easier for scammers?

If you're considering switching from the traditional public switched telephone network (PSTN) service to VoIP, you might be wondering whether the change will make you more vulnerable to scammers, help protect you from common scams, or not make much difference at all.

Con games are about as old as human history; there will always be people around who attempt to use deception to persuade others to do something -- often, to give them money or something else of value. In today's electronic world, that something else may be passwords used to access various accounts at financial institutions, etc., or it might be credit card numbers and similar information used to obtain goods and charge them to someone else.

Most jurisdictions have fairly broad laws against fraud that cover both in-person and online scams, and many are now enacting legislation to deal specifically with the types of fraudulent schemes commonly perpetrated over the Internet. How much of a threat is VoIP? Let's take a look.

VoIP phishing: Vishing

Phishing is one of the biggest problems facing computer users today. The traditional form of phishing involves sending e-mail messages with links that direct unsuspecting users to Web sites designed to look like the sites of legitimate companies, where those users are conned into entering their personal information. The scammer who owns the site can then collect the data and use that information to access the victim's accounts or steal his or her identity and open new accounts in his or her name.

What does all this have to do with VoIP? Scams are steadily growing more sophisticated, and many of today's scammers incorporate telephony into their con games. That's because security specialists and law enforcement representatives have begun to warn the public against responding to e-mail messages or entering sensitive information into Web forms. They advise using the telephone instead -- to verify that you're really dealing with the entity you think you're dealing with.

But scammers are good at staying a step ahead. Thus, a new threat is emerging on the horizon: Vishing, short for VoIP phishing. It's a variation of the phishing scam that uses VoIP to exploit this advice that many people are getting to use the phone when communicating sensitive information.

Why VoIP is vulnerable

The problem is that with VoIP now widespread, scammers can use VoIP lines to set up sophisticated automated systems that appear to the caller to be the kind of system they would encounter when calling a large company. And these scammers can do it without needing much equipment, personnel, or money. Low or no-cost IP PBX software such as Asterisk allows them to do this easily.

VoIP phone numbers look just like any landline number, so callers can't easily tell that they're dialing a VoIP number rather than a landline. And you can get a VoIP number with an area code in a completely different geographic location from your own physical location. It's also easy for technically-savvy scammers to engage in caller-ID spoofing, so the victim doesn't even see the scammer's real VoIP number on the caller ID display.

After setting up the VoIP system, the scammer includes the phone number to call when asking victims to "verify account information," rather than asking them to provide their information on a Web site. Having a phone number to call reassures victims, making them believe in the legitimacy of the request.

They call the number and connect to an automated voice mail menu system that resembles that of a large company, which further reassures them. Then they give out their addresses, phone numbers, social security numbers, bank account numbers and all kinds of other personal information that they would be reluctant to send over the Internet.

The scammer usually uses some sort of automated recording or computerized speech synthesizer to create messages (such as a warning that the user's account has had suspected fraudulent activity), and they often instruct users to enter their credit card number via the telephone keypad, rather than allowing them to talk to a real person. Unfortunately, we're all so used to big companies doing business this way that it doesn't arouse many suspicions.

Speech synthesis might seem like a highly sophisticated and expensive feature, but don't let that fool you. In fact, scammers can use free programs such as Festival in conjunction with free IP PBX software such as Asterisk.

Because of the low cost of sophisticated software that runs on standard computer equipment and because of the flexibility and features that make VoIP desirable for individuals and businesses in comparison to PSTN, it's also attractive to those with ulterior motives.

On the other hand

But there's a flip side to this coin. If you use VoIP yourself, those same user-friendly features can help give you some limited protection against the scammers. Just as it's more difficult for you to determine their numbers via caller ID, it can be more difficult for them to determine yours.

Deb Shinder is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. She currently specializes in security issues and Microsoft products, and she has received Microsoft's Most Valuable Professional (MVP) status in Windows Server Security.

Want more tips and tricks to help you plan or optimize your VoIP deployment? Automatically sign up for our free VoIP newsletter, delivered each Monday!