Cyber-criminals switch to VoIP 'vishing'

A fraudulent automated recording instructs users to enter credit card information on their keypad

Traditional web-based phishing attacks are evolving into sophisticated phone scams as cyber-criminals attempt to keep one step ahead of detection, security experts have warned.

Secure Computing reported today that its engineers have been tracking news group sites and open disclosure discussion groups which are buzzing with talk about a VoIP telephony version of phishing dubbed 'vishing'.

The new technique has been used by criminals to harvest details of the three-digit CVV security code, expiration date and other essential ID information in addition to the user's credit card and account numbers.

"Consumers need to be made aware of this new threat as it hits the UK," said Paul Henry, vice president of strategic accounts at Secure Computing.

"Like most other social engineering exploits 'vishing' relies on the 'hacking' of a common procedure that fits within the victim's comfort zone.

"Specifically this methodology takes advantage of what has become a normal practice for US credit card users when calling a credit card provider.

"Users are asked to enter the 16-digit credit card number before speaking to a representative. Consumers therefore need to be extra vigilant when giving out their information on the phone."

According to Secure Computing, 'vishing' scams usually begin when the criminal configures a war dialler (sequentially dialled regional phone numbers) to call numbers in a given region.

When the phone is answered, an automated recording is played to alert the consumer that their credit card has suffered fraudulent activity and the consumer should call a phone number immediately.

The phone number is often an 0800 number with a spoofed caller ID of the financial company it is pretending to represent.