Phishing Scams Internet Fraud

Phishing, Vishing, & SMiShing
Avoid getting taken, hook, line, and sinker

Beaverton, ORE - Phishing, Vishing, and SMiShing are scams that use new technology in an attempt to obtain personal, non-public information from consumers to be used for fraudulent purposes, most notably identity theft. The following information will provide you with background on how these scams work, and tips to help you avoid getting taken.

Phishing
Phishing is probably the most common scam in which unsolicited, seemingly legitimate, e-mails are sent to consumers luring them to click on a link to verify account information, including asking for account numbers, social security numbers, passwords, and debit/credit card numbers, and expiration dates. The e-mails and phony websites realistically mimic the branding of a company by using similar colors, graphics, etc. They often use language to the effect that if the consumer does not perform the verification, their account will be subject to closure, suspension, denial of services, or other account restrictions.

Vishing
A consumer receives a call with a recorded message that states the consumer’s credit card has been breached and to call the following phone number immediately. When the consumer calls the number, another message tells them that they have called account verification and please enter your 16-digit card number. This is an example of Vishing, short for voice-phishing, which uses a combination of phishing e-mails and Voice over Internet Protocol (VoIP). Through broadcast e-mails or random dialers, consumers are contacted and asked to “verify” information. Instead of clicking on a web link to verify their personal information, consumers are asked to call an 800 number. The 800 number is linked to an automated answering service/recorded message that directs the caller to input account information.

SMiShing
This brings us to SMiShing, a phishing attack sent by Short Message Service (SMS). SMS is a service that allows the transmission of text messages between mobile phones and handheld devices. An example message: “We’re confirming you’ve signed up for our dating service. You will be charged $2/day unless you cancel your order.” The message includes a link that, when accessed, takes the recipient to a phishing site where they are prompted to download a program—a Trojan horse.

Given that consumers use various devices to access not only personal, but company networks as well, proactive security measures should be taken to address the fact that employees haven’t transferred the security mindset that they apply to their laptops to these devices. David Rayhawk, in a McAfee Avert Labs Blog, states, “Enterprises would be wise to keep a close eye on this issue, and think about policies for securing their mobile devices ahead of time, rather than playing catch up when it hits them, and begin to educate their employees about the potential risk now.”

Tips to safeguard yourself from Phishing, Vishing and SMiShing:

• Never respond to unsolicited e-mails or text messages; especially coming from people or companies that you do not have a relationship with or regarding services you have not contracted for. Contact the financial institution or merchant via the regular channels you use to communicate with them.
• Remember, for privacy and security, financial institutions do not arbitrarily solicit non-public information from you. Typically they would already have information based on the relationship you have previously established with them.
• When you are accessing secure accounts online, make it a habit to check for the small yellow lock in your browser window. If it’s unlocked – you are not in a secure area of the Website.
• If you receive a Vishing message, and you do want to check your account, disregard the recorded number and contact your financial institution through the customer service phone number on your statement or credit card.
• Pay attention to the URL. Fraudsters cannot exactly mimic a company’s website URL, but will often insert one letter or symbol to make it appear legitimate.
• Keep a record of services you sign up for on your mobile devices. If you receive a SMiShing message for a service you don’t think you signed up for…you probably didn’t. Disregard the message.
• When in doubt, do not respond to an email, voicemail or text message regarding an account. Contact your financial institution through regular channels.
• If you receive multiple phishing, vishing or SMiShing messages from a financial institution, bring it to their attention to help them uncover the fraud.

Although these scams differ slightly in delivery and execution, they all use advances in technology and social engineering skills to hook you, they all give you a line about needing to “verify” your account or personal information, and, if you fall victim, the sinker is they will steal your identity and/or empty your accounts.

For more information on phishing attacks and trends visit the Anti-Phishing Working Group—www.antiphishing.org.