FBI warns that "vishing" attacks are on the rise Posted on January 23, 2008 at 12:45:44 PM by Jefferson
By Joel Hruska
Published: January 21, 2008 - 09:50PM CT
According to the FBI's Internet Crime Complaint Center (IC3), the number of "vishing" complaints received by the center is increasing at what it calls "an alarming rate." Vishing and phishing are related, and both rely on e-mail as a means of delivering bait, but the two use different hooks in order to snag user data.
Vishing starts with an e-mail, like phishing, but requests that end-users contact a particular institution by phone in order to resolve an issue or re-secure personal data. People who call the provided number will be asked to provide the same types of data phishers attempt to procure.
Ironically, vishing e-mails may even attempt to reassure recipients of their legitimacy by stating that the institution in question would never request customer financial data via e-mail or IM.
The actual specifics of the attack could vary widely, depending how large of an operation those behind the attack intend to run. A standard vishing attack might use a phone number connected to an answering machine to harvest data. A large-scale scamming operation, however, could theoretically employ several people to act as call-center workers—who might not even be aware that they're in the employ of an illegal business operation. Given the amount of outsourcing that goes on these days, it's not exactly unusual to find yourself talking to "Ralph Smith" when you deeply suspect the person on the other end of the line is located in south Asia.
Vishing attacks are rising as voice-over-IP services become more popular. VoIP users (both commercial and residential) aren't required to provide valid Caller ID information, which makes it an ideal platform from which to launch vishing attacks. The two aren't directly linked—the FBI warning makes no particular mention of VoIP—but the service does provide a potential layer of obfuscation that isn't available with conventional phone service.
As always, the best defense against phishing or vishing is a little common sense. If your bank or other financial institution with which you are affiliated contacts you requesting personal data, hang up (or call them) using only the number provided on the back of your card or official statement. If you can't get confirmation that the request is actually legitimate, don't follow up on it.