A new phenomenon called "vishing" (or voice phishing) uses Internet-based Voice over Internet Protocol (VoIP) phone services to trick people into revealing private data—which is then used for identity fraud.
Here's how "vishing" works, and how you can protect yourself against it.
Phishing by phone
ID thieves have perfected an online scam called "phishing":
* ID thieves send mass email messages announcing an "urgent account problem."
* Recipients are asked to visit a Web site to clear up the problem.
* The site appears to be the legitimate site of a merchant or financial institution, but account information is immediately stolen and used to commit ID fraud.
With consumers getting wise to online phishing, thieves are now exploiting new Internet-based phone services:
* Thieves use email or automated phone messages to notify consumers of "account problems."
* Recipients are asked to call a toll-free number to resolve the problem.
* When victims call, they hear what sounds like a legitimate automated phone message.
* Victims are asked to provide account numbers, passwords, or Social Security numbers, which are then sold on the Internet and used to commit identity fraud.
A problem of trust
Vishing mimics the legitimate ways people interact with their financial institutions, so victims are more likely to respond without hesitation. People trust phone transactions more than they trust the Internet, because the traceability and cost of landline or cellular phone service make mass phone fraud impractical. But VoIP service has rendered that security blanket inoperative.
* Internet-based phone companies make it easy to obtain an anonymous account and to handle large call volumes at little cost.
* Inexpensive software lets thieves create an interactive voice response system that sounds exactly like the one your bank uses—even matching the on-hold music.
* Traditional antiphishing tools cannot easily detect a phony telephone number within email text, so protection against vishing is up to the user.
How to protect yourself
It's a good idea to use common sense whenever your ID information is involved.
* Never respond to an email or voice mail that asks you to go to a Web site or call a phone number to resolve an account problem. These are never legitimate.
* If there is any question, call the merchant or institution at a number you know is genuine.
* Get into the habit of asking for authentication. For example, ask the person at the other end of the line to verify a recent transaction you've made. A thief is not likely to have access to this type of information.
Conclusion
Vishing is still relatively rare, but it makes sense to use care whenever giving out your identity information. Never respond to an email or automated phone call that asks you to clear up an urgent problem—if it were urgent, they'd contact you personally.
