Vishing: The Latest, and Greatest, Security ConcernVishing: The Latest, and Greatest, Security Concern

Cybercriminals have become quite adept at taking advantage of the latest technology. Their latest foray centers on leveraging the significant acceptance of Voice over IP (VoIP) to steal personal information.

Unfortunately, as new communications options emerge to help small and midsize businesses improve productivity, these same enhancements can be used to exploit them and their customers. Because of its simplicity, its clean integration with IP networks, and potential cost savings, VoIP has become a staple in many small and midsize enterprises. Now, it's poised to play the same role in cybercrimes.

The crooks' latest ploy is a variation of phishing, which has become a significant problem in the last few years. With phishing, a criminal sends an e-mail and pretends to be a bank, a credit card company, or a major online merchant, such as Amazon. The e-mail outlines a problem with the person's account and asks the individual to click on a link to verify his or her account information. The user is then directed to a fake site that collects the login and password information and uses it to perpetrate identity theft.

Criminals are Shifting Gears
Since this phenomenon arose a few years ago, the affected companies, as well as leading security firms, have tried to educate users about the dangers of clicking on e-mail links asking for personal data. With that message starting to take hold, the criminals have shifted gears, with a new technique dubbed "vishing" (VoIP phishing). The Internet Crime Complaint Center (IC3), a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center concentrating on Internet-related criminal complaints, has recently seen a growing number of incidents of vishing.

Vishing operates like phishing and tries to persuade consumers to divulge their personal information by claiming that their accounts have been suspended, tampered with, deactivated, or terminated. A couple of variations on the scam have arisen. The first mixes phishing and vishing. The recipient receives an e-mail message but is instructed to call rather than click on a link to verify personal data. In another scenario, text messages are sent to cell phones claiming the recipient's on-line bank account has expired. The message instructs the recipient to renew their online bank account by using the link provided.

In other cases, crooks create fully functional PBXs using low cost PCs and inexpensive voice software. The perpetrators use dialers and bulk-rate VoIP services to flood an area with automated telephone calls, either reaching consumers or leaving voice mail messages. Recipients are directed to contact their banks, credit card companies, or merchants to verify their personal data.

The IC3 noted that crooks have even gone so far that upon calling the telephone number, victims hear greetings, such as "Welcome to the Bank of ... ." They then are asked to enter their personal data in order to resolve the pending problems. To add to the seeming authenticity, some fraudulent e-mails claim that the company would never contact customers to obtain the personal data by other means, such as e-mail, mail, and instant messenger, because voice messages are the most secure method of communication. These e-mails further warn recipients not to provide sensitive information when requested in an e-mail and not to click on embedded links, claiming they could contain malicious software aimed at capturing login credentials.

Scams Focused on Smaller Businesses
Another problem is cybercriminals have shifted their focus. Traditionally, their scams concentrated on the nation's largest companies. After they've received their hundredth PayPal phishing notification, consumers don't even bother opening up such items before hitting the Delete button. In response, the crooks have turned their attention to small and midsized businesses. For instance, regional bank Santa Barbara Bank & Trust Inc. was targeted for a vishing scam.

At the moment, the criminals seem to be ahead of law enforcement. The IC3 admitted that, "Due to rapidly evolving criminal methodologies, it is impossible to include every scenario." The government agency suggests that consumers use legitimate telephone numbers to contact the supposed company whenever they receive something asking for their account data. Having been funneled through numerous voice-activated screens through the years, I'm skeptical about consumers' willingness to take that extra step and the ability of the company to handle such calls expeditiously.

Consequently, vishing is a security issue that small and midsize companies have to be aware of because it could affect their customers and their business. All companies, especially those doing a lot of business on the Internet, need to notify consumers about such problems and be prepared to handle such inquiries, if they should arise. How much awareness do you have of vishing? How much of a threat do you think it poses to your business? Do you feel obliged to tell your customers about it?

Paul Korzeniowski is a Sudbury, Mass.-based freelance writer who has been writing about networking issues for two decades. His work has appeared in Business 2.0, Entrepreneur, Investors Business Daily, Newsweek, and information.