WelcomeAbout ClubSymantecArticle LibraryQuestions & AnswersTips & TricksGlossary

ARTICLE LIBRARY

Vishing: When Phishers Get Vocal
Blogging 101
Protect and share your holiday memories with online photobooks
Online Shopping: Real Security in a Virtual Marketplace
How to keep you computer "pirate free"
Going wireless at home
Security 2.0: Threats 2.0 and Confidence 2.0
Have fun and stay safe online
Learn how to spot and avoid phishing scams
Getting Serious about Passwords
Don’t Become Prey while on Social Networking Sites
Staying One Step Ahead: Protect Your Identity and Your Data
Maintaining Healthy Computer Habits
How to Protect your Identity—Online and Off
What You Need to Know About Phishing
Get Spam and Other Email Risks Under Control
Take Control of Spyware and Adware
Keep Your Information and Identity Virus-Free



s Internet users learn not to divulge confidential information on websites, phishers move to new, uncharted territories. Their newest weapon is called “vishing”, as in “Voice Phishing”. It relies on Internet telephony to trick users to hand over their private data. Here’s how “vishing” works and how you can protect yourself against it.

Revisiting the old-fashioned email phishing

We all know about regular email phishing: hackers send mass email messages announcing an “urgent account problem” with some service provider (usually a well-known bank, ISP or merchant).

Recipients are then asked to visit a particular website to clear up the problem. Of course, those who are not customers of the service in question will ignore the email. But a fraction of recipients will indeed be concerned, and some of these will click on the suggested link to go the service provider’s website.

The site may seem legitimate, but it is really a fake. The link in the email was booby-trapped to show a legitimate destination but it actually redirects to a server owned by the hackers. When asked to “confirm” confidential data (usually an account login and password) on the fake site, users are in fact providing the information to the hackers. This account information is immediately stolen and used to commit ID fraud.

Playing phone games
This is regular email phishing. But as consumers get wise to online phishing, thieves are now exploiting new Internet-based phone services:

  • Thieves use email or automated phone messages to notify consumers of “account problems.”
  • Recipients are asked to call a toll-free number to resolve the problem.
  • When victims call, they hear what sounds like a legitimate automated phone message.
  • Victims are asked to provide account numbers, passwords or Social Security numbers, which are then sold on the Internet and used to commit identity fraud.

A problem of trust
By seeming to take their victim out of the “web” realm, hackers induce a false sense of security. People trust phone transactions more than they trust the Internet, because the traceability and cost of landline or cellular phone service make mass phone fraud impractical. Moreover, vishing mimics the legitimate ways people interact with their financial institutions - one that has been touted as being safer. After all, many institutions advise calling by phone when in doubt. So victims are more likely to respond without hesitation to a vishing trap.

But VoIP service has brought together the Internet and telephone worlds, and makes such attacks easy and more cost-effective.

  • Internet-based phone companies make it easy to obtain an anonymous account and to handle large call volumes at little cost.
  • Inexpensive software lets thieves create an interactive voice response system that sounds exactly like the one your bank uses—even matching the on-hold music.
  • Traditional anti-phishing tools cannot easily detect a false telephone number within an email text, so protection against vishing is up to the user.

How to protect yourself

Common sense is the only true universal weapon when ID theft is involved!

  • Never respond to an email or voice mail that asks you to go to a website or to call a phone number to resolve an account problem. These are never legitimate.
  • If there is any question, call the merchant or institution at a number you know is genuine - either one found on the regular website (after having entered the address yourself!) or in the Yellow Pages.

Conclusion
There is no need to be alarmed: Vishing is still relatively rare. But it pays to be alert whenever giving out your identity information, no matter what the medium. Never respond to an email or automated phone call that asks you to clear up an urgent problem: if it were urgent, they’d contact you personally and they would be in a position to prove they actually know you.


 
Legal Notices · Privacy Policy · Site Feedback · Contact Us · Symantec Home
©1995 - 2007 Symantec Corporation