Friday, February 16, 2007

Vishing: exploits the public’s trust of landline telephone services

What is Vishing?

Vishing is the term given to the practice of leveraging Voice over Internet Protocol (VoIP) technology to trick people into providing personal and financial details over the phone for financial reward, by pretending to represent real companies such as banks, which the fraudster then uses to achieve some financial gain. The term is a combination of “voice” and phishing. A “visher” is a person who perpetrates a Vishing attack.

Vishing exploits the public’s trust of landline telephone services. Traditional land line services end in a physical location which is known to the telephone company, and is associated with a bill payer. With the advent of VoIP, telephone services may now terminate in computers, which make illegal acts easier to achieve than with traditional “dumb” telephony endpoints. ( Source: www.Wikipedia.com )

A typical Vishing attack could follow a sequence such as described below:

The fraudster sets up an automatic dialer which uses a modem to call all the phone numbers in a given region.

When the phone is answered, an automated recording is played to alert the customer that his/her credit card has had illegal activity and the customer should call the recorded phone number immediately. The phone number could be a toll free number often with a caller identifier that makes it appear that they are calling from the financial company they are pretending to represent. Net phone technology makes it easy to fake the number someone is calling from.

When the customer calls the number, it is answered by a computer generated voice that tells the customer they have reached ‘account verification’ and instructs the consumer to enter their 16-digit credit card number on the key pad.

Once the customer enters their credit card number, the “visher” has all of the information necessary to place fraudulent charges on the consumer’s card. Those responding are also asked for the security number found on the rear of the card.

The call can then be used to obtain additional details such as security PIN, expiry date, date of birth, bank account number, etc.

How to avoid becoming a victim of Vishing

Take steps to protect your personal information and bank account. If you are called by a so-called “Bank” or an organization purporting to be a “Bank”, be aware of the following:

Legitimate banks would have knowledge of some of your personal details. Be suspicious of any call that appears to be ignorant of your basic personal details like first and last name (although it is unsafe to rely on this alone as a sign that the call is legitimate). If you receive such a call, report it to your bank.

Do not call and leave any personal or account details on any telephone system that you are directed to by a telephone message or from a telephone number provided in a phone message, an email or an SMS especially if it is regarding possible security issues with your credit card or bank account. When a telephone number is given, you should first call the phone number on the back of your credit card or on your bank statement to verify if the number given is actually an office number of the bank.

Make sure you call your bank or the company that is the subject of the call to check that the call is legitimate before disclosing any personal information.

Who are the intended victims?

Vishing calls are indiscriminate and randomly target people. The fraudsters are cunning and they may not know your real name nor any other real information about you but they will try to convince you to provide your account details. Because it is unlikely they know your name they tend to address their victims in vague terms, like -----Sir------ or …. Madam.

Action: What to do in the event you receive a Vishing call:

If you do receive a suspicious call/email/phone message, please contact your Bank by using the contact number on your statement or on the back of your bank Debit/Credit card.

You can also report the incident directly to your regional organization who are set up to combat electronic incidents including fraudster acts such as Vishing.

Hong Kong:

Website: http://www.hkcert.org/

Incident Reporting url: https://www.hkcert.org/incident/home.html

India:

Website: http://www.cert-in.org.in

Incident Reporting url: http://www.cert-in.org.in/incidentreporting.htm

Jersey:

Website: http://www.niscc.gov.uk

Incident Reporting url: http://www.niscc.gov.uk/niscc/reportIncident-en.html

Singapore:

Website: http://www.singcert.org.sg

Incident Reporting url: http://www.singcert.org.sg/incident.html

UAE:

Website: http://www.cert.etisalat-nis.ae/

Incident Reporting url: http://www.cert.etisalat-nis.ae/Incident_Reporting_Form.txt

Korea:

Website: http://www.krcert.or.kr

Incident Reporting url: http://www.krcert.or.kr

Asia Pacific Region:

Website: http://www.apcert.org/

Important points to remember

Your Bank will never randomly call you requesting that you provide personal details including your PIN over the phone.

If you receive a suspicious call, report it by contacting Your Bank on the number provided on your statement or on the back of your bank card.

If you have disclosed information verbally or via your phone key pad, immediately contact Your Bank as above and report to the police.

1 comment:

Alex said...

Hi, Nice stuff. I found a cool news widget for our blogs at www.widgetmate.com. Now I can show the latest news on my blog. Worked like a breeze.