New VoIP-based phishing scam popping up

Criminals use VoIP numbers as bogus credit card telephone numbers

A new kind of identity theft scam, with thieves using easy-to-obtain VoIP (voice over internet protocol) telephone numbers to trick internet or telephone users, is beginning to pop up, says a cybersecurity vendor.

Related to phishing scams, the new scheme uses cheaply obtained VoIP numbers as bogus credit card or financial services telephone numbers, says Paul Henry, vice president of strategic accounts for Secure Computing. The company has observed only two such scams so far, but it expects the practice to "explode," Henry says.

With internet users being warned about clicking on hyperlinks in unsolicited email, the new scam includes a phone number instead, Henry says. "It's a natural elevation of the art to move it to the telephone," he says. "People are getting nervous about clicking on links."

In phishing scams, identity thieves send email that looks like it comes from a bank, credit card company or online payment service such as PayPal. The email typically says the recipient's account has been compromised in some way, and it contains a link to an official-looking web site where the recipient can enter account information.

In the new scam, which Secure Computing calls "vishing," identity thieves ask potential victims to call a phone number attached to a VoIP account, easily obtained online through services such as Skype or through retailers reselling VoIP products such as Vonage, Henry says.

In one vishing case, scammers targeted PayPal users by including a telephone number in a spam email. In the other case, the criminals configured an automatic telephone dialer to dial phone numbers, and when the phone was answered, played an automated recording saying their credit card has had fraudulent activity.

The recording asked the telephone customer to call a number with a spoofed caller ID related to the credit card issuer, Secure Computing says. Once users call, they are asked for personal account information.

VoIP numbers are easy to obtain anonymously, but Henry doesn't fault VoIP providers for vishing scams. A larger problem is the ease of obtaining credit online or over the telephone, he says.

Consumers are comfortable with obtaining credit online or by dialing automated telephone services to get credit, but if credit-granting businesses required physical contact, phishing and vishing scams would be almost eliminated, he adds.

"In today's environment, it's absurd," Henry says.

To avoid vishing scams, Secure Computing offers this advice:

— Credit card companies normally refer to customers by their full names in any communication. If an email or phone call does not refer to your full name, it may be a scam.

— You should not call a telephone number provided in a phone call or an email regarding possible security issues with any credit card or bank account. You should call the phone number on the back of your credit card or on your bank statement to report security concerns.

— If anyone purporting to be a credit card provider calls and requests your card number, hang up and call the phone number on the back of the credit card and report the attempt. If the call was legitimate, the credit card provider will have knowledge of it.