Vishing

Share This +

National Crime Prevention Council
1000 Connecticut Avenue, NW, 13th Floor
Washington, DC 20036
202-466-6272
202-296-1356 FAX
www.ncpc.org

Original Post: January 2009
Current: 2010

‘Vishing’: A New Twist on Identity Theft Threatens Consumers

The FBI has issued a warning about a nasty new type of telephone fraud aimed at tricking consumers out of their personal information.

By Martin W.G. King, NCPC Staff

The Internet Crime Complaint Center has issued a warning about a new kind of cyber attack involving vishing, the telephone version of phishing (Voice Phishing), which takes place by computer. In vishing, callers spoof Voice over Internet Protocols (VoIP) and pose as legitimate institutions, in an attempt to trick targets into giving them their personally identifiable information. Victims could be at risk for identity theft, among other types of fraud.

Vishing takes two forms. Instead of directing targets to a phony website, as is the case with phishing, a recorded phone call may tell the user to call a toll-free telephone number that purports to be that of a well-known financial institution or other entity. The caller is then asked to punch in his credit card number or other personal information. Another type of vishing takes the form of an email, which asks the user to make a telephone call to a toll-free number and provide his personal information. In either case, PCMagazine.com Encyclopedia says that “because people are so used to entering credit numbers and other personal information over the phone, this [vishing] technique can be highly effective.”

Hackers conducted a recent wave of vishing attacks by exploiting a weakness in early versions of Asterisk software, a free, widely used software developed to integrate PBX systems with VoIP digital Internet voice calling services. (PBX, or private branch exchange systems, are used by commercial and government entities to enhance their communications capabilities.) The weakness enabled the hackers to use the software as an automatic dialer, generating thousands of vishing telephone calls to consumers in an hour.

If consumers fall victim to this fraud, they will be at risk for identity theft, credit card fraud, and a host of other crimes. To reduce the spread of this new type of crime, agencies using Asterisk should upgrade their software to a version that has had the vulnerability fixed.

NCPC urges law enforcement personnel with responsibility for fraud prevention or citizen education to remind the public that they should never release their personal information in response to unsolicited telephone calls.

NCPC’s publication, Preventing Identity Theft, is available for download and teaches consumers how to protect themselves against this crime.

The U.S. Department of Justice and the Federal Trade Commission (FTC) are hard at work on developing new ways to counter the evolving nature of identity theft. On October 28, 2008, Attorney General Michael Mukasey and FTC Chairman William E. Kovacic announced the release of a report from the President’s Identity Theft Task Force on the federal government’s progress in addressing this crime. The report presents highlights of the task force’s work and emphasizes that government and the private sector, working together with consumers, must be adaptable as new generations of identity thieves develop new techniques. The full task force report and other information on efforts to combat identity theft is available here.