In a new twist on phishing, fraudsters are sending out e-mail that attempt to trick people into sharing personal information over the phone.
Cloudmark, a San Francisco-based e-mail security company, said it has seen two separate attacks this week. In both cases, the spammed message warns of a problem with a bank account and instructs the recipient to dial a phone number to resolve it, the company said in a statement published Wednesday.
The caller is connected to a voice response system that is made to sound exactly like the bank's own system, Cloudmark said.
"The phone system identifies itself to the target as the financial institution and prompts them to enter account number and PIN," Cloudmark said.
"The result can be personally financially devastating," Adam O'Donnell, the senior research scientist at Cloudmark, said in the statement.
Phishing scams are prevalent and continue to proliferate. In traditional scams, miscreants try to pilfer personal information by sending spam e-mail with links to a malicious Web site, crafted to look like a site belonging to a trusted service provider. The phone scams are a new twist, made possible by cheap Internet-based telephone services, Cloudmark said.
Antispam technology can block the e-mail scams, Cloudmark said. The company urged people who do receive the messages to notify their service providers immediately. As a precaution, people should not dial phone numbers received in an e-mail message and should double-check and dial the numbers printed on ATM and credit cards instead, it advised.
Learn how to achieve better performance and improve your service levels, while driving down IT costs.
Secure the "Next-Gen SOA Infrastructure" & "Bringing SOA Value Patterns to Life" whitepapers here
It's a basic security concept that you should treat any incoming information as potentially fraudulent, so when any communication with another party was initiated not by you, you can't be totally sure of the information you get. This applies to email and even phone messages. If you are contacted by any party where security is involved you should initiate the call yourself and use whatever contact information you already have verified on file to do so (use the phone number on the back of your credit card for example) instead of whatever information was provided when the other party contacted you. This applies to emails, phone calls, voicemail, text messages - anything.
Posted by Steve Prior on Friday, April 28 2006 11:29 PM