Phone Phishing

There’s a new type of phishing scam on the horizon. It’s one that mixes the traditional methods, such as sending bogus e-mails, with social engineering techniques. Don’t let it catch you off guard!

As you probably know by now, the term phishing refers to an attempt to gain personal information from end users by spoofing legitimate companies and financial institutions such as PayPal or Ebay. In order to do this, an attacker sends a message (usually an e-mail) stating there is some sort of serious issue with your account and in order to take care of it, you need to log in with your account information at their site, which is of course, fake.

Once this is done, the attackers have the information they want, which puts the ball squarely in their court. This has been a very successful avenue for attackers in the past. They have been able to harvest various user’s personal information with ease. Lately however, the public is getting a little wiser to these sorts of attacks and we aren’t so easily fooled anymore.

Well, the one thing about hackers is that they are resilient. You stop one method and they shortly figure out another. Well, the new method appears to be a hybrid phishing attach that blends technology and traditional methods combined with the misplaced security of speaking with someone on the phone.

This brings in phone phishing. Phone Phishing is becoming very popular, yielding a high success rate. The concept remains the same: fool someone into giving you personal information by impersonating another company, but the execution has a slight twist. There are a few different styles of phone phishing, with the most popular being when an attacker instructs the user to call a customer service number in order to rectify the bogus situation.

On the other end of the line, it could be a fake customer service representative or an automated message. It doesn’t matter. Either way, they are going to ask you to divulge personal information. This method has not been in use that long, but it is notably successful. People tend to feel more comfortable giving their information out over the phone instead of the Internet, especially when they feel they are safe.

There are variations of Phone Phishing, which I have summarized below:

  • Some methods take advantage of the rich content smart phones that are out there today, which can send/receive instant messaging, as well as, e-mail. These are both more traditional methods of phishing that have proven to be highly successful in the past.

  • There is a method of phone phishing that is identical to the method listed above, but instead of being directed to a phone number, you are instructed to go to a Web site, which is of course, fake and it then requests your personal information.

  • A less traditional phishing scam (but still in the same family) is the method in which an attacker will use a police scanner to help capture cell phone calls. This is primarily for older analog phones that have little encryption on the audio transmission. With the newer digital phones, this isn’t an issue due to the encryption placed on the audio. With analog phones however, it is quite easy to steal audio from a transition and as a matter of fact, Newt Gingrich had a cell phone conversation tapped by someone using a common police scanner.

Fortunately, there is one easy way to defend yourself against any phishing scam. Just simply remember to never respond to communication that is requesting you to call, e-mail or go to a Web site and log in with your personal information. Instead, always go out to the site on your own and log into your account. If there are any issues with your account, you will see it here and you will be able to fix it. The same can go with a customer service number given to you via e-mail. Use the phone number from one of the company’s Web sites or from your billing information, if you have it. These steps will keep your information safe online and over the phone.

~ Chad