June 20, 2010

A couple of readers have written in to say they recently received automated telephone calls warning about fraud on their credit card accounts and directing them to call a phone number to “verify” their credit card numbers. These voice phishing attacks, sometimes called “vishing,” are a good reminder that today’s scam artists often abuse a range of modern technologies to perpetrate old-fashioned fraud.

Graphic courtesy Internet Identity

Phone phishing schemes often begin with a pre-recorded message that prompts the recipient to call a supplied telephone number — frequently a toll-free line. Usually, the calls will be answered by an interactive voice response system designed to coax account credentials and other personal information from the caller.

Lures for these telephone phishing attacks also are sent via text message, a variant also known as smishing. Indeed, the Sacramento Bee warned last week that residents in the area were receiving text messages spoofing the Yolo Federal Credit Union.

A new report (PDF) from anti-phishing vendor Internet Identity found that credit unions continue to be a favorite target of smishing attacks, and that text-to-phone scams used a toll-free number in about half of the lures sent in the first quarter of 2010.

Internet Identity also tracked at least 118 smishing attacks in the first quarter of 2010, although the company said that number represents a 40 percent drop in these scams over the last three months of 2009.

It may be hard to imagine how many people actually fall for these scams, but you might be surprised. In March 2008, I wrote about an extremely complex vishing attack that targeted customers of multiple credit unions. A source I interviewed for that story later managed to make a copy of one of the servers that these crooks used to accept incoming calls for this scam, which ran uninterrupted from Jan. 13, 2008 to Feb. 21. From that story: “During that time, the phishers sent millions of text messages, and records from that server show that roughly 4,400 people called the fake bank phone number as directed. Out of those, 125 people entered their full credit/debit card number, expiration and PIN.”

Have you or someone you know recently received one of these scam phone calls or texts? Sound off in the comments below.

33 thoughts on “A Spike in Phone Phishing Attacks?

  1. Rick Zeman

    So let me guess…the banks were liable for these losses, too?

  2. BrianKrebs Post author

    Rick — What losses are you referring to? The losses in my 2008 story? Generally speaking, yes — in the United States, the banks/issuers would cover these losses if they were suffered by a consumer customer.

  3. Anthony Boynes

    There was a time when I would receive these scam text messages on a weekly basis. I even tried to report them, using the FCC’s convoluted web site. It seemed to be a waste of effort, and so I just started ignoring them.

  4. Anthony Boynes

    Of course, I meant FTC web site above, and not FCC.

  5. Matt

    Actually this was one of the strengths for my passwindow scheme in that it is highly resistant to this type of verbal phone based attack compared to tokens, SMS or other authentication schemes where the user can verbally disclose a authentication code or credit card number. I cannot imagine a feasible scheme where someone could describe their passwindow segmented visual key pattern verbally. Perhaps a user could be persuaded to disclose their username/password and then try to photograph their key pattern and email the image off to the attacker but it sounds quite farfetched. The attacker might be better off at that length to convince a victim to give them money straight up.

  6. emv x man

    For many years I’ve advocated a system whereby the bank verifies itself to the customer through a password; there’s huge resistance – I suspect this is because of the psychological advantage the bank gets when they start the conversation by getting us to answer their questions.
    I have to confess to stopping taking calls from HSBC because their system is woefully inept – it tends to work this way:
    Bank op: Is that Mr …
    Me: It might be, who are you?
    Bank op: it’s … from HSBC
    Me: OK
    Bank op: May I run through some security questions to verify who you are
    Me: No, please can I call you back on a telephone number I can verify as being HSBC
    Bank op: No, we can’t take incoming calls; this is an outgoing call centre
    Me: OK, I guess you’ll have to write to me.
    I hope that one day the banks learn to do joined-up-banking!

  7. Richard

    Two weeks ago my wife and I got calls on both of our cell phones from an automated call identifying our bank saying fraud was suspected in use of our bank card and it would be cut off. We were traveling on vacation and thought they were going to cut off access to us using our check card. We were directed to push #1 to find out more. The call dropped. I tried to call the bank with the number on the back of the card; it was during a time you could not reach a customer service person. Within that hour, my wife’s phone rings with the same call. When it got to the part that it ask her to enter our card number, she hung up. I called our bank the next day. They had no record of a problem and had not blocked the use of our cards. It was a scam.

  8. Gary

    What if….a substantial percentage of consumers who received such calls called the toll-free numbers provided and left phony data? It would make the fraudsters’ jobs much harder trying to separate the valid information from the phony information and just possibly the bank’s or credit union’s researchers might be able to somehow trace the string of unusccessful attempts to access cardholders’ data back to the source.

    But, why are toll-free numbers being provided to crooks? Doesn’t Verizon (or whomever) have some idea who paid for the number?

    1. Matt

      I believe they are quickly able to quickly cycle through their credit card data to separate the genuine from the fake or out of date numbers. One trick was to use the card data to donate .50 cents to some online charity sites and validate the card numbers that way. The whole process is scripted so it wouldn’t actually take up much of their time.

    2. JBV

      The problem with doing that: There’s no way to block the call recipient from seeing your real phone number. When you call a toll-free number they get a display of the calling number and know they have a “live one.” No matter what you tell them, they will likely either call your number again or give or sell it to someone else.

      1. Gary

        Sure you can block your number from being displayed. There are several tools to do this For a landline phone call your phone company or consult the directory.
        For a cell phone contact your provider (my brother annoying blocks his number from being displayed and it registers only as “private”)

        1. JBV

          Generally, you can’t block your number from being displayed on toll-free calls even if you have number-blocking service available, because the recipient is paying the freight and the phone company handles them like collect calls. Check your contract service terms (or the phone directory if you use a land-line). YMMV.

    1. J.D. Falk

      That happened to me recently as well.

      The 800 number the computerized voice recited in the message was not the same as on the back of my card, so I was suspicious. I called the number from the card instead, and eventually found the right option among the confusing memos. Turns out it was real.

      Apparently one of my cards now flags on any purchase of computer equipment — the first was $102 at the Apple Store. What a complete waste of time, on multiple levels.

  9. The Thinker

    A month or so ago there was a smishing attack that targeted a Cleveland area credit union. As far as I know, nothing ever came of it. I spoke with some of our membership who called the number provided, but everyone said that the auto attendant never asked for credentials or personal information. Newbies just cutting their teeth perhaps, or everyone is going to see a line item billed for $500/minute on their next statement.

    The odd thing was that the message was only delivered to AT&T wireless phones. I figured that they must have suffered some kind of breach, either physical or electronic, which leaked a list of 216 and 440 phone numbers.

  10. Federico Maggi

    One year ago I began to collect vishing/smsishing data and, I have to say, it is early to call this a “popular” phenomenon. However, it is very interesting to take a look at how the social engineering techniques have evolved and have blended with the spread of new forms of social communications.

    Based on real-world, human-filtered data, these are my analysis of vishing/smsishing: http://home.dei.polimi.it/fmaggi/vishing.pdf

  11. xAdmin

    Simple solution: unless YOU initiated it, ignore it!

    It would be interesting to know of those that fell for the scam, how many are seniors. Because I recently heard an interesting idea stated by a comedian; if age brings wisdom, why are so many older people usually scam victims? On a serious note, there are many reasons for that. 🙂

    In the bigger picture, those who fall for the scam could otherwise be summed up as what P.T. Barnum once said, “There’s a sucker born every minute!” 😛

  12. Marty

    If everyone had “fun” with these attacks, I suspect we would see less of them.

    I received one of these automated calls a few weeks ago, stating my account would be frozen and asking for account info, so I decided to see how long I could tie up their phone line. I entered all zeros for the account number, the system would reply back that an invalid account was entered, and prompt to enter the account again. I was able to repeat this over a dozen times (around 5 minutes), before they disconnected the call. If enough people were to tie-up their phone lines for 5 minutes entering bogus data, their ROI would likely drop off significantly.

    I do the same type of thing for persistent telemarketers. The first time I will kindly ask them not to call back. After that, when they ask for so-and-so, I will say “Let me get them”, then put them on “hold” (i.e. put the phone down and do something else for several minutes). If they are are still on the phone when I take them off “hold”, repeat the process. Works quite well.

  13. Sean

    I have been getting calls like these for a few weeks now. The first part of the message was cut off so I only ever heard the phone number on repeat. Is there any way to report the incoming phone number?

    1. Heron

      Even if the number shows up on your Caller ID, fraudsters can generate fake phone number identities rather easily.

    2. Michael

      Yes, there are several sites for reporting abusive phone calls.
      hxxps://www.donotcall.gov/ but only if you’re on the registry.
      hxxp://800notes.com (database of abusive callers, other similar sites exist)

  14. Russ

    I got three consecutive calls from these clowns; all different numbers. I didn’t answer any, but Googled them immediately. Mostly I’m curious as to where they got my cell number from.

    1. Heron

      They may be reaching you via random dial computerized phone systems.

      1. Russ

        You think? I considered that, but why would they call 3x inside an hour and then stop cold? It’s conceivable they were leveraging a compromised service of some sort and didn’t care about wasted and inefficient process. I don’t know squat about phones, phreaking or autodialing.

        1. Heron

          Once they know your phone number is a live one, the computer is set to call you back quickly. The company hopes you’ll be annoyed enough to pick up the call. If you don’t pick up, your number will be removed from the queue for a few weeks or months, and then you’ll receive more calls.

          That’s what I’ve observed from monitoring our home phone, at least.

          1. xAdmin

            I’ve noticed the same thing and why I said, “Simple solution: unless YOU initiated it, ignore it!”

            To me all this trickery can be easily defeated with the right mindset. May be that’s easy for me to say because by nature, I’m highly analytical and very cynical. So, I’m always hyper aware of things and generally don’t automatically trust anything. I NEVER assume, but always observe, then verify, then verify again.

            I’m not going to jump just because someone says jump. I’m not going to answer the phone just because it’s ringing! 🙂

            It’s not that I’ve been burned in the past. It’s via the power of observation and deductive reasoning over the years that invariably will give you great power and freedom over this trickery. Or as I’ve said many times on this blog, it’s about critical thinking skills! Don’t allow someone else to control you! 🙂

  15. April Green

    I had a call last night and thought of you.

    It was a live call with an accent so outrageous that I suspected he was pretending to call from India.

    His garbled message to me was that he needed to tell me I had a security problem with my internet access and that someone was about to steal my information. (I paraphrase)

    As one of your fans who has been reading you for years, I couldn’t stop myself from blurting out, strongly, “Oh, you can’t be serious. You’re not actually gonna try this, are you?”

    That, as you might think, gave him pause. Then he started in, gamely, with another attempt to scare me into listening to him. Poor guy, I kept interrupting him and he would try to stick to his script, but he was getting flustered. And I hung up.

    I still have a record of the number that appeared on my caller ID. The number is from New Jersey. I’m sure it’s just one part of long network of relays designed to hide the perpetrators.

    Is there anyone to whom I should send the number?

    (This was accidentally posted to another story. Please forgive the duplication.)

    1. AlphaCentauri

      You can look up the number at http://www.telcodata.us/telcodata/telco
      Then you can contact the company that controls the phone number. About half the time they will be responsive to complaints. Some will blow you off with excuses about phone numbers being portable, but it’s not like the scammers keep their numbers long enough to move to a new phone company.

      You’re right that there is no reason to think the caller is actually in New Jersey. A phone company that offers voice-over-internet could be providing service to someone anywhere in the world. If you Google “u.s. business presence,” you will find many websites available to provide U.S. addresses and phone numbers to people who should never be allowed to have a U.S. visa.

      You can also Google the phone number on your caller ID. You will probably find several websites like 800notes.com and whocallsme.com that allow you to post your experience so others can check out numbers on their voice mail before calling them back.

  16. Emily

    Millions of text messages out, and 125 befuddled persons’ credit card numbers in. Probably credit cards with not much money available. In more than a month’s time, if I remember. An investment in equipment and time. Wonder what the profit if any was?
    What if the crooks lost money on this endeavor?

  17. Bill

    Brian, just this past Monday I received one of these on my phone. I checked my wife’s phone and the same message was there also (consecutive numbers). I called the local FBI office. The toll free number came up as an unknown for them. The agent told, me that there are so many of these that happen, they don’t investigate unless fraud has occurred.

Comments are closed.