The Anatomy of a Vishing ScamMarch 15, 2008 – 3:29 PM
A series of well-orchestrated wireless phone-based phishing attacks against several financial institutions last week illustrates how scam artists are growing more adept at fleecing consumers by exploiting security holes in seemingly unrelated Internet technologies.
The scams in this case took the form of a type of phishing known as “vishing,” wherein cell-phone users receive a text message warning that their bank account has been closed due to suspicious activity, and that they need to call a 1-800 number to reactivate the account. Victims who called the number reached an automated voice mail box that prompted callers to key in their credit card number, expiration date and PIN to verify their information (the voice mail systems involved in these sorts of scams usually are run off of free or low-cost Internet-based phone networks that are difficult to trace and shut down).
According to Lawrence Baldwin, the security forensics professional who was called in to help investigate, the attacks went down like this: The scammers targeted customers of multiple financial institutions, sending the text message lures solely to mobile numbers assigned to customers who lived in the geographic regions served by the individual institutions. For example, one scam targeting Motorola Employees Credit Union was sent only to Cingular mobile numbers assigned to consumers in the Schaumburg, Ill., area, where Motorola is headquartered. Yet another vishing attack sought Qwest customers in the Boulder region who may have belonged to the Boulder Valley Credit Union.
A third vishing attack, against the Bank of the Cascades, produced an usual response from the institution. In a message on its home page, Bank of the Cascades urges people who have received the messages to “Call your cell phone service provider immediately to alert them of the fraud and discuss their recommendations for handling scam text messages.” Here’s the only recommendation Bank of Cascades customers need: “We didn’t send it, just delete it or ignore it. If you fell for the scam, give us a call or come on in.”