Phishers tap VoIP in new scam

A new kind of identity theft scam, with thieves using easy-to-obtain VOIP (voice over Internet Protocol) telephone numbers to trick Internet or telephone users, is beginning to pop up, said a cybersecurity vendor.

Related to phishing scams, the new scheme uses cheaply obtained VOIP numbers as bogus credit card or financial services telephone numbers, said Paul Henry, vice president of strategic accounts for Secure Computing Corp. The company has observed only two such scams so far, but it expects the practice to "explode," Henry said.

With Internet users being warned about clicking on hyperlinks in unsolicited e-mail, the new scam includes a phone number instead, Henry said. "It's a natural elevation of the art to move it to the telephone," he said. "People are getting nervous about clicking on links."

In phishing scams, identity thieves send e-mail that looks like it comes from a bank, credit card company or online payment service such as PayPal. The e-mail typically says the recipient's account has been compromised in some way, and it contains a link to an official-looking Web site where the recipient can enter account information.

In the new scam, which Secure Computing calls "vishing," identity thieves ask potential victims to call a phone number attached to a VOIP account, easily obtained online through services such as Skype or through retailers reselling VOIP products such as Vonage Holdings Corp., Henry said.

In one vishing case, scammers targeted Paypal users by including a telephone number in a spam e-mail. In the other case, the criminals configured an automatic telephone dialer to dial phone numbers, and when the phone was answered, played an automated recording saying their credit card has had fraudulent activity.

The recording asked the telephone customer to call a number with a spoofed caller ID related to the credit card issuer, Secure Computing said. Once users call, they are asked for personal account information.

VOIP numbers are easy to obtain anonymously, but Henry didn't fault VOIP providers for vishing scams. A larger problem is the ease of obtaining credit online or over the telephone, he said.

Consumers are comfortable with obtaining credit online or by dialing automated telephone services to get credit, but if credit-granting businesses required physical contact, phishing and vishing scams would be almost eliminated, he added.

"In today's environment, it's absurd," Henry said.

To avoid vishing scams, Secure Computing offered this advice:

-- Credit card companies normally refer to customers by their full names in any communication. If an e-mail or phone call does not refer to your full name, it may be a scam.

-- You should not call a telephone number provided in a phone call or an e-mail regarding possible security issues with any credit card or bank account. You should call the phone number on the back of your credit card or on your bank statement to report security concerns.

-- If anyone purporting to be a credit card provider calls and requests your card number, hang up and call the phone number on the back of the credit card and report the attempt. If the call was legitimate, the credit card provider will have knowledge of it.