VOIP Phishing Scam
Thursday, May 28, 2009 13:35
What Happened to Me
Recently, I had a message on my answering machine from what sounded like an automated (computer generated) message telling me to call 800-776-6779. The message stated that my debit card was locked for security reasons, and please call the 800 number and press “1” to get it unlocked. Well, I don’t have a debit card so that was the first indication that it may be a scam, and, second of all, the message never mentioned a name of a bank or credit union. It was just a generic message from what sounded like a security or fraud department.
After further researching the call back number, I discovered that this had occurred to other people. Supposedly, it was a VOIP (Voice over IP) phishing scam, meaning that someone was using a VOIP/ internet phone connection (like Vonage or Skype, etc.) to make people believe that the phone call was coming from the number identified on the caller ID or to show no identified number on the caller ID. This is called spoofing (faking) which makes the phone call appear to be coming from the number identified on caller ID. From the information gathered during my research, it appears that if you do dial the call back number and press “1,” the system will ask you for your account information in order for your card to be reactivated or unlocked. At this point, your account information would be captured and sent to the person(s) behind the scam.
The number on my caller ID turned out to be a number for a church in Ohio. From my research, it appears others who received these types of calls either had all zeros or zeros and ones in their caller ID. Either way, from the content of the message and the caller ID number, it was clear that this was a scam.
A Little History
Phishing scams started out mainly as e-mail scams such as receiving an e-mail that appears to have come from a legitimate business like your bank or other similar type of business. You are informed in this e-mail that there is some problem with your account, and you need to click on the enclosed link which will take you to a site where you are usually asked to put in your account information including password to get the issue resolved. Over the pass few years with the growth in VOIP phone services and a variety of free software, it has actually become easier to reach people using the phone. The scam is basically the same, but the delivery method is via the phone instead of e-mail. So why is it important to know all this? You need to be aware of the variety of scams and the methods these scams use to protect yourself and your business. If your personal or business account information was stolen, not only would it cost you monetary losses, but it would also cost you an enormous amount of time to clear this up and restore your identity. Also, note that your business identity as well as your personal identity can be stolen.
How it Occurred
From the above noted information, it should be clear that VOIP is not a secure form of communication. These types of scam can occur usually in one of two ways. First, a person can use available software that allows them to setup a phone system (PBX type) on their computer. From this, they can set up virtual numbers for any country. A local number can then be used, and the person can forward the calls to wherever they want. As a result, free or cheap VOIP services can be used by the person. The second method, which I suspect in my case, involves breaking into an existing VOIP system and using the existing number or numbers to contact people. After contacting the church mentioned above, I determined that they do use a VOIP phone system. Most likely, the VOIP system was compromised and used for this scam. If you are a business owner that either uses VOIP or is considering using VOIP, you should be aware of the security issues involved with it. In future posts, I will try to write more about how to secure VOIP.
What Can I Do?
There are a couple of things I would suggest that you do when you encounter such a situation:
- First be suspicious of such calls especially when they do not mention your bank or card holding company.
- If you do need to call back, always look up the actual customer service number for your card holder and call them directly. Don’t trust the phone number left in the message or during the phone call. Also, note that if you do need to call back, you should not have to provide your information as they should already have it. All they have to do is confirm you are who you say you are. There is a variety of methods for this, but they do not require passwords or other details regarding your account.
- Always talk to a real person, not a machine. If this is as an important an issue as the call or message makes it out to be, they would want you to talk to a real person.
- Some of these phishing scams are sent as e-mail. Don’t use links in suspicious e-mails. Verify the website you use for your account and login in there, not on the link provided in any e-mail.
Hope you found the information helpful. I would love to hear from those that have experienced such scams including any details that you would like to share. Information that may be helpful to others includes indications that gave it away as a scam and how long it took to find out it was a scam. Please leave your comments using the comment form at the end of this article.
Related posts: