Rediff.com« Back to articlePrint this article

Beware! Vishing could ruin you!

July 31, 2007 09:59 IST

Imagine this. You receive an e-mail which warns you that your bank or PayPal account has been compromised and immediate action is required.

However, instead of a Web site link you're cajoled into dialling a phone number where an automated voice message greets you: "Welcome to account verification. Please enter your account number."

Instead of an e-mail you may even get an actual phone call. The caller -- who already knows your credit card number, adding to the legitimacy -- now asks for the three-digit code on the back of your card.

The content of the incoming message is designed to trigger an impulsive reaction from you. It generally uses upsetting or exciting information; demands an urgent response; or uses a false pretense. If you're gullible, you give in and become a victim.

Hackers are now using a combination of voice over Internet protocol (VoIP), SMSs and the Internet to fool and redirect users into dialling a phone number to collect critical information for financial gains. Called vishing (or voice phishing), it differs from phishing wherein users were redirected to a website and literally frightened into parting with financial information.

Phishing-related losses have been estimated at $2.8 billion with a single victim losing $1,244 in 2006, compared with $257 in 2005, according to Gartner.

With six out of 10 banks being phishing targets last year, "The awareness of phishing has increased amongst users and hence there has been a drop in its success rate," says Vijay Mukhi, president, Foundation of Internet Security and Technology (FIST).

The success of vishing attacks will be greater to phishing, Srikiran Raghavan, regional head, RSA said. He added, "People will be more susceptible to talk to an automated system and feed in confidential information like credit card numbers and other such important information rather than clicking on a Web site link."

Customers reverting to the false numbers provided by hackers feel a sense of security on hearing the familiar automated response system and thus are more likely to feed in their confidential data.

"This makes banks and financial institutions with automated response systems prime targets for vishing attacks," observes Manish Bansal, regional marketing manager-South East Asia and India, Websense.

The success of vishing lies in its ability to exploit an individual's trust in the landline telephone. According to Wikipedia, the victim is often unaware that VoIP allows for caller ID spoofing.

The first recorded incidents of vishing were recorded in mid-June 2006. Since then, the attacks have been growing at the rate of 0.03 per cent worldwide according to a report released by MessageLabs.

According to Mukhi, this was a phenomenon waiting to happen. Vishing is hard for legal authorities to monitor or trace.

"With VoIP becoming cheap, a vishing attack can originate from anywhere globally even though the number may appear to be a genuine local number, thus making it difficult for authorities to stop the fraud," says Kartik Shahani, sales director, McAfee India.

The only way out is for consumers to be highly suspicious when receiving messages directing them to call and provide credit card or bank numbers.

"Rather than provide any information, the consumer is advised to contact their bank or credit card company directly with numbers provided by the bank on the back of the credit card. Verifying the validity of the message could save the customer a lot of trouble," said Srikiran.<HR>

Phony Conversations

The vishing trap

Personal information at risk:

Uses of the information:

Preventive steps:

Sapna Agarwal
Source: source image