You receive an e-mail from PayPal asking you to call. Your account has been compromised. Or a company you don't know calls threatening collection. It's scary. Before you give out any personal data, there's something you should know.
You could be the target of "vishing," or voice phishing. It's the latest twist on phishing scams.
Phishing attacks rely mostly on e-mail. You receive a message purportedly from a bank or a store. A problem with your account requires immediate attention.
The e-mail directs you to a malicious Web site. The site looks legitimate. The Web address even appears legitimate.
The site is designed to trick you into disclosing sensitive information. Or it infects your machine with malicious software. Either way, you become a victim of credit card theft or worse.
Popular Web browsers incorporate anti-phishing tools. Unfortunately, criminals are one step ahead. They're using the telephone to catch you off guard.
Vishing leverages Voice over Internet Protocol (VoIP). Internet-based phone service makes it easy to spoof telephone numbers. Criminals can make a different name and phone number appear on caller IDs.
HOW DO VISHING ATTACKS WORK?
There are several variations of vishing scams. In one attack, a criminal calls via telephone. Your caller ID displays the name and number of a reputable organization. Maybe it is a bank, store, government agency or Web site.
When you answer the call, a prerecorded message greets you. It directs you to another phone number. If you call, you're prompted to enter personal information via telephone keypad.
The key tones are captured and decoded. The criminals just got your information.
Another variation begins with an e-mail. Unlike with phishing messages, you're not directed to the Web. Rather, you're instructed to call a telephone number. You are tricked into revealing personal data.
Or you receive a call from a spoofed number. This time, you speak to a real person. The person requests account numbers and other data.
The caller could invite you to join an online research network. You're paid to install special software on your computer. The software is spyware that steals sensitive information.
Some vishing attacks start with a prerecorded incoming call. You're directed to a Web site to resolve an account problem. The site is a phishing site.
HOW TO SPOT A VISHING ATTACK
Vishing methods may vary. However, there are several hallmarks of vishing attacks. First, the information presented in the attack is upsetting or exciting. For example, you could be threatened with a lawsuit over an unpaid bill. You may never have done business with the company.
Vishing attacks usually demand an urgent response. You allegedly run the risk of account closure or credit troubles unless you take immediate action.
You should also look out for false pretenses. The visher may ask you to take a poll. Then you're directed to install a spyware program.
HOW TO PROTECT YOURSELF
Suspicion and vigilance are your best weapons. Be wary of incoming communications. Do not rely on caller ID to identify callers. E-mail addresses are not trustworthy either.
Never give out personal information in these circumstances. Instead call the organization to ask if the communication is legitimate. Check your account paperwork for the correct phone number.
You may have never done business with an organization. In that case, ignore the communication. It's your safest bet.