Vishing: exploits the public’s trust of landline telephone services

What is Vishing?

Vishing is the term given to the practice of leveraging Voice over Internet Protocol (VoIP) technology to trick people into providing personal and financial details over the phone for financial reward, by pretending to represent real companies such as banks, which the fraudster then uses to achieve some financial gain. The term is a combination of “voice” and phishing. A “visher” is a person who perpetrates a Vishing attack.

Vishing exploits the public’s trust of landline telephone services. Traditional land line services end in a physical location which is known to the telephone company, and is associated with a bill payer. With the advent of VoIP, telephone services may now terminate in computers, which make illegal acts easier to achieve than with traditional “dumb” telephony endpoints. ( Source: www.Wikipedia.com )

A typical Vishing attack could follow a sequence such as described below:

The fraudster sets up an automatic dialer which uses a modem to call all the phone numbers in a given region.

When the phone is answered, an automated recording is played to alert the customer that his/her credit card has had illegal activity and the customer should call the recorded phone number immediately. The phone number could be a toll free number often with a caller identifier that makes it appear that they are calling from the financial company they are pretending to represent. Net phone technology makes it easy to fake the number someone is calling from.

When the customer calls the number, it is answered by a computer generated voice that tells the customer they have reached ‘account verification’ and instructs the consumer to enter their 16-digit credit card number on the key pad.

Once the customer enters their credit card number, the “visher” has all of the information necessary to place fraudulent charges on the consumer’s card. Those responding are also asked for the security number found on the rear of the card.

The call can then be used to obtain additional details such as security PIN, expiry date, date of birth, bank account number, etc.

How to avoid becoming a victim of Vishing

Take steps to protect your personal information and bank account. If you are called by a so-called “Bank” or an organization purporting to be a “Bank”, be aware of the following:

Legitimate banks would have knowledge of some of your personal details. Be suspicious of any call that appears to be ignorant of your basic personal details like first and last name (although it is unsafe to rely on this alone as a sign that the call is legitimate). If you receive such a call, report it to your bank.

Do not call and leave any personal or account details on any telephone system that you are directed to by a telephone message or from a telephone number provided in a phone message, an email or an SMS especially if it is regarding possible security issues with your credit card or bank account. When a telephone number is given, you should first call the phone number on the back of your credit card or on your bank statement to verify if the number given is actually an office number of the bank.

Make sure you call your bank or the company that is the subject of the call to check that the call is legitimate before disclosing any personal information.

Who are the intended victims?

Vishing calls are indiscriminate and randomly target people. The fraudsters are cunning and they may not know your real name nor any other real information about you but they will try to convince you to provide your account details. Because it is unlikely they know your name they tend to address their victims in vague terms, like -----Sir------ or …. Madam.

Action: What to do in the event you receive a Vishing call:

If you do receive a suspicious call/email/phone message, please contact your Bank by using the contact number on your statement or on the back of your bank Debit/Credit card.

You can also report the incident directly to your regional organization who are set up to combat electronic incidents including fraudster acts such as Vishing.

Hong Kong:

Website: http://www.hkcert.org/

Incident Reporting url: https://www.hkcert.org/incident/home.html

India:

Website: http://www.cert-in.org.in

Incident Reporting url: http://www.cert-in.org.in/incidentreporting.htm

Jersey:

Website: http://www.niscc.gov.uk

Incident Reporting url: http://www.niscc.gov.uk/niscc/reportIncident-en.html

Singapore:

Website: http://www.singcert.org.sg

Incident Reporting url: http://www.singcert.org.sg/incident.html

UAE:

Website: http://www.cert.etisalat-nis.ae/

Incident Reporting url: http://www.cert.etisalat-nis.ae/Incident_Reporting_Form.txt

Korea:

Website: http://www.krcert.or.kr

Incident Reporting url: http://www.krcert.or.kr

Asia Pacific Region:

Website: http://www.apcert.org/

Important points to remember

Your Bank will never randomly call you requesting that you provide personal details including your PIN over the phone.

If you receive a suspicious call, report it by contacting Your Bank on the number provided on your statement or on the back of your bank card.

If you have disclosed information verbally or via your phone key pad, immediately contact Your Bank as above and report to the police.

Spam Emails: How to Control?

What is Spam Email?

Spam is the slang term for unsolicited email. The practice of sending unsolicited bulk email ("spam") is an increasing problem on the Internet and it provides criminals with a way of reaching Internet anywhere in the world, no matter where they are located themselves. In order to reduce the amount of spam that you receive, you should be careful about disclosing your e-mail address and consider taking some of the measures below to protect yourself from spam.

Individuals behind these mass mailings, 'Spammers' collect addresses from a number of sources including websites or newsgroups/forums where they are displayed in full and buying address lists from websites where people have signed up for free offers or ordered something online. They also employ more malicious means such as using mass mailing viruses and worms, as well as dictionary-based attacks on popular domains.

7 ways to reduce spam:

Disguise your e-mail address on websites, newsgroup posts, chat rooms, or bulletin boards. You can display your address on your website as an image (without using the mailto attributes), on your website insert an image in place of the @ sign, write it as your.name at my-isp.com, insert zeros instead of "o" (y0ur.name@my-isp.c0m), or insert additional words (your.name@my-ispREMOVE-THIS.com). By doing this you will still make it possible for other people to read your address, but prevent the automated programs that spammers use from harvesting your email address.

Use an email programme that includes spam filters, an anti-spam product, or a service that scans your email for spam automatically. I suggest you Thunder Bird

on't list your e-mail address in full on any websites, newsgroups or forums Or use a separate email address for such use.

Only share your main e-mail address with people you know.

Make sure that you opt out of marketing offers allowing your address to be sold to third parties when registering or buying products or services.

NEVER reply to spam emails or attempt to use the "remove me" link as this will confirm that your address is live and you will receive more spam.

Don't open or preview spam messages as this may enable them to validate that the message has been opened. After validating your email address , spammers will send flood of eamils to your inbox.

General computer security information

General computer security measures to ensure safe browsing on internet.

Is it safe to shop and bank online?

The decision to bank or shop online is an individual choice, however, provided you take a few sensible precautions like using Anti-virus software, and shopping from reputable sites - it is safe. Adjust the security settings on your browser to protect you to the level you require. Don't give out personal information in chat-rooms or if you are not sure who is receiving the information.

How do I know if my PC is safe?

If you have anti-virus software on your PC (and keep it up to date), and are sensible about opening email attachments, and have the file sharing option on your operating system turned off (unless you need it for use in an office or home network) then your PC is reasonably safe. Try not to leave the PC connected to the Internet when it is not in use. You should also consider installing a firewall, this is particularly important if you have a permanent connection e.g. broadband access. As a further measure, make sure you keep back up copies of anything important on floppy disk, CD-ROM or another storage device then if you do fall victim to a virus or your computer breaks down you can still re trieve your data.

Is my computer safe if I am not connected to the Internet?

Yes, although there are still risks from viruses on floppy disks, CD-ROMs or portable hard disks if you are not connected to the Internet and of course your computer may break down or be stolen.

How do I know if a website is genuine?

Just as anyone can insert an advertisement in a newspaper, so anyone can set up a website. Check for contact details on the site (a postal address, not just an email address). Internet addresses have to be properly registered so most organisations have registered their own names as site names. However, this cannot always be guaranteed, particularly for all available suffixes, so if you are in any doubt it is advisable to check for physical address details. A browser lets you access the information on the Internet. Common browsers include Microsoft Internet Explorer, Netscape Navigator and Mozilla Firefox. A secure web browser supports the technical security protocols (standards) used by some sites, such as Internet Banking, to prevent unauthorized people from seeing information sent to or from the sites. You can tell when this is happening by the appearance of a padlock symbol at the bottom of the browser window. Double clicking this symbol will show a 'digital certificate' (also known as a SSL certificate) confirming the authenticity of the site.

Computer Security : Glossary

Glossary of security terms

adware

A program that typically displays advertising through pop-up or pop-under windows as you surf the Web. Adware is often hidden alongside other programs, and you may unknowingly install it when you download a program from the Internet or install software from disks. You usually need a specialized anti-adware or anti-spyware program to remove adware from your computer.

anonymity

Inability to identify a person from known information.

anti-spam

A program that filters spam in an email inbox and moves it to a bulk or spam folder, where it can be deleted.

anti-spyware

A program that finds and removes spyware. Some anti-spyware programs can also find and remove other malware, like keyloggers, Trojan horses, worms, and more.

anti-virus

A program that is designed to identify, prevent, and eliminate viruses and other malicious software.

attacker

A person who intentionally attempts to defeat a system.

bulk folder

A folder in some email programs that is used to hold email identified as spam.

case-sensitive

Distinguishing between uppercase (or capital) letters and lowercase (or small) letters. Yahoo! passwords are case-sensitive, which means that a capital A is different from a lowercase a. So when you enter your password, make sure to type it with the correct capitalization.

cookie

A small amount of data, often including an anonymous unique identifier, that is sent to your browser from a web site's computers and stored on your computer's hard disk. Web sites use cookies to "remember" details about you, such as your user name or site preferences, in order to personalize your experience on that web site. Your browser transmits information back to the site each time you view that site until the cookie expires.

download

The transfer of a copy of program or file from a network to a single computer.

email header

Part of an email message that describes the path that the email took to go from the sender to the recipient. Email headers are generally hidden, but can be displayed if necessary. If you report spam or phishing emails to Yahoo!, you'll be asked to include the email headers to help identify the source of the email.

encryption

The process of converting data or other information into code so that unauthorized people cannot access it.

firewall

Hardware or a program that prevents unauthorized users from accessing a computer network or that monitors the transfer of information to and from a network. A personal firewall is a program that filters traffic to or from a single computer. Many operating systems (such as Microsoft Windows XP and Mac OS X) include firewall protection.

A computer firewall gets its name from the fireproof wall in buildings that acts as a barrier to prevent the spread of fire.

freeware

Software (or programs) available for free, usually over the Internet. These programs can be sources of hidden spyware and adware.

hacker

A person who uses programming skills to gain illegal access to a computer, network, or file.

header

Another name for an email header.

hijacker

A malicious program that takes control of a browser and may redirect it to a fraudulent site for the purpose of committing identity theft or fraud.

hoax

Something meant to deceive or trick. Hoaxes involving threats to computers usually arrive in an email and contain bogus warnings designed to frighten or mislead you. Unsuspecting recipients may forward the email to friends and colleagues, spreading the hoax.

keylogger

Software (or a program) that secretly tracks and records all activities on a computer, including keystrokes, web sites visited, and potentially more. The information captured is transmitted back to a third party, who can then use the information to access online accounts and sensitive personal and financial information.

mail header

Another name for an email header.

malware

Software designed to infiltrate or damage a computer without the owner's knowledge. Malware is a general category of software that includes viruses, worms, Trojan horses, spyware, adware, and other malicious software.

phishing

An attempt to steal passwords and private account information through fake web sites and emails that look like those of trusted companies. A phishing web site or email can look identical to the real thing, so it can be hard to tell that it's fake. Phishing schemes can also use instant messages, typically when an account is compromised. In this case, the fraudster sends phishing messages to the contacts in the account's Messenger or friend list.

pop-under

A form of online advertising designed to attract viewers to a web site or to capture email addresses. This type of ad "pops under" the current web page in a new window and isn't seen until the browser window is closed, making it more difficult to determine which web site opened it.

pop-up

A form of online advertising designed to attract viewers to a web site or to capture email addresses. This type of ad "pops up" in a new window, covering all or part of the current web page.

pop-up blocker

A program designed to prevent pop-ups and pop-unders.

pretexting

Using false pretenses (such as a false identify or name) to get personal information, which may be used to fraudulently obtain credit or assets.

shareware

Copyrighted software (or programs) available for free on a trial basis. Usually you'll be asked to pay a fee if you want to continue using the software after the trial period. These programs are sometimes sources of hidden spyware and adware.

sign-in seal

A feature of Yahoo! that helps to protect you against phishing scams. You create your personalized sign-in seal and then look for it every time you sign in to Yahoo!. If your sign-in seal isn't displayed, or isn't the one you created, you might be on a fraudulent web site, designed to look like a legitimate Yahoo! site.

social engineering

A common ploy used to gain access to accounts by manipulating unsuspecting victims into revealing confidential information. Perpetrators may befriend potential victims and use information provided by them to guess a password or other secret data, which they use to access the victim's online accounts.

spam

Any message, regardless of its content, that is sent to multiple recipients who haven't specifically requested it. Spam can be an email message or an instant message. Posting the same message multiple times to newsgroups or list servers is also considered spamming — especially if it isn't related to the topic. Spam is also called UCE (unsolicited commercial email) and UBE (unsolicited bulk email).

Spam folder

A folder in Yahoo! Mail used to hold email identified as spam.

spearfishing or spearphishing

A kind of phishing scheme that targets a specific organization or individual in an attempt to gain access to confidential data. Like phishing messages, spearphishing messages appear to come from a trusted source, and may even appear to be from an employee within the recipient's company. Typically, a spearphishing email asks for user names and passwords or instructs the recipient to click on a link. That link could result in the downloading of spyware or other malicious programs. If a single employee falls for the spearphishing scam, the attacker can pretend to be that individual and gain access to sensitive data.

spoofing

Imitating a legitimate web site. Phishing scams use spoofing to create site that looks like a legitimate web site to fool potential victims into signing on with their user ID and password. The spoofing site captures this information and uses it to gather personal and financial information.

spyware

A program or technology that aids in gathering information about a person or organization, often without their knowledge. It includes programs like hijackers and keyloggers. Spyware is often hidden alongside other programs, and you may unknowingly install spyware when you download a program from the Internet or install software from disks. You usually need a specialized anti-spyware program to remove spyware from your computer.

SSL

Abbreviation for Secure Sockets Layer. A set of rules that defines the format and sequence of messages sent over the Internet to provide a level of security when transmitting private information. When you sign in to Yahoo!, your password is always transmitted over a SSL encrypted connection.

Trojan

A shortened name for Trojan horse.

Trojan horse

A program that disguises itself as another program. Similar to a virus, a Trojan horse is hidden and usually causes an unwanted effect, such as installing a "back door" in your computer that can be used by hackers. Unlike a virus, a Trojan horse typically doesn't create copies of itself.

UBE

Abbreviation for unsolicited bulk email. More commonly known as spam.

UCE

Abbreviation for unsolicited commercial email. More commonly known as spam.

virus

A program that hides in other programs or documents and spreads as a side-effect of something you do, like opening an attachment to an email. Viruses come in many forms, and you don't need to install a program for your computer to be infected. For example, some viruses are spread when you open a word-processing document, particularly if you enabled macros in your word processor. An email virus may create copies of itself and automatically mail itself to everyone in your address book or attach itself to outgoing files.

worm

A malicious program that spreads without your taking any action, typically by exploiting vulnerabilities in popular programs like Microsoft Outlook and Microsoft Outlook Express email software. Once activated, a worm generally uses the Internet or your local network to spread to other computers.

zombie

A computer that has been attacked by a hacker, virus, or Trojan horse and is then used to perform malicious acts, such as sending spam, under remote direction. The zombie computer gets its name from the zombie — an undead or apathetic person — because the computer and its owner are unaware that the computer is controlled remotely.