Identity theft scam calls can fool your phone's caller ID
By Kim Komando
You receive e-mail supposedly from PayPal claiming that your account has been compromised and asking you to call. Or a company you don't know calls, threatening collection. It's scary. Before you give out any personal information, you should know that you could be the target of vishing, voice phishing.
Phishing relies mostly on e-mail to trick you into divulging private information that will be used in identity theft. For example, you receive a message purportedly from a bank or a store claiming that there's a problem with your account requiring immediate attention. The e-mail directs you to a malicious Web site that looks legitimate and appears to have a legitimate Web address. The site is designed to trick you into disclosing sensitive information. Or it infects your machine with software that steals information. Either way, you become a victim of credit card theft or worse.
Popular Web browsers incorporate anti-phishing tools. But criminals are one step ahead and are using the telephone to catch you off guard.
Vishing leverages voice over Internet protocol, or VoIP. Internet-based phone service makes it easy to spoof telephone numbers. Criminals can make a different name and phone number appear on caller IDs.
HOW THEY WORK
There are several variations of vishing scams. In one, a criminal calls via VoIP, spoofing the phone number so your caller ID displays the name and number of a reputable organization, such as a bank, store, government agency or Web site.
When you answer the call, a prerecorded message greets you. It directs you to another phone number. If you call, you're prompted to enter personal information via telephone keypad. The key tones are captured and decoded. The criminals just got your information.
Another variation begins with e-mail. You're instructed to call a telephone number and tricked into revealing personal data when you call.
Or you receive a call from a spoofed number. This time, you speak to a real person, who requests account numbers and other data.
The caller could invite you to join a bogus online research network where you'll be paid to install special software on your computer. The software is spyware that steals sensitive information.
Some vishing attacks start with a prerecorded incoming call in which you're directed to a Web site to supposedly resolve an account problem. The site is a phishing site.
HOW TO SPOT VISHING
Methods vary, but there are several hallmarks of vishing attacks.
First, the information presented is upsetting or exciting. For example, you could be threatened with a lawsuit over an unpaid bill, although you may never have done business with the company.
Vishing attacks usually demand an urgent response, claiming that you run the risk of account closure or credit troubles.
The visher may ask you to take a poll and then direct you to install a spyware program.
Vishing attacks usually aren't personalized. They probably won't reference a real account number. The visher may not even know your name.
PROTECT YOURSELF
Suspicion and vigilance are your best weapons. Be wary of incoming communications. Do not rely on caller ID to identify callers. E-mail addresses are not trustworthy, either.
Never give out personal information in these circumstances. Instead, call the organization to ask if the communication is legitimate. Check your account paperwork for the correct phone number to call or use a number from a reputable directory.
If you have never done business with an organization the caller is claiming is involved, ignore the communication. It's your safest bet.