Just When You Thought it Was Safe: Vishing Makes a Splash on the Web
Criminal Entrepreneurs Use New Technology for Malicious Intent
October 2006Leave it to Internet crooks to be endlessly inventive. As soon as one scam is discovered, another one takes its place. The latest innovation in identity theft is a variation on phising called “vishing,” or voice fishing. The first recorded incident took place in June of this year, involving a bank in Santa Barbara. A second incident, involving Paypal, occurred in early July.
Similar to the typical phishing scam, vishing involves contacting potential victims by e-mail or phone, usually to alert them that their credit card has been used illegally or that someone has been trying to gain access to their account. Rather than direct targets to a phony corporate web page, vishing scammers instead ask victims to call a toll free number. This leads to a recording that prompts cardholders to verify their account number by entering it on the keypad. If the target does as instructed, he or she becomes fair game for identity theft.
Vishing Made Possible by Internet Phone Service
The new world of Internet telephone service has made Vishing possible. For one thing, it’s easy to establish a Voice over Internet Protocol (VoIP) phone number immediately, through services like Skype or Vonage, without the same level of verification required for a traditional phone line. Thieves can establish a VoIP phone number with nearly the same ease as setting up a new email address. Also, Internet phone service allows for automated random calling, so a large quantity of potential victims in a specific area can be targeted, which has a number of obvious appeals for e-scammers. (Vishing, like phishing and related scams, is a numbers game.)Most importantly, a VoIP phone number makes it easier for callers to mask their identity and location. Commonly known as spoofing, this practice makes vishing particularly effective. A criminal operating from anywhere in the world can give his potential victim a number to call that has the same area code, even the same prefix, as the financial institution with which that person holds an account. It is very believable—and believability is the identity thief’s bread and butter.
A Classic Deception: Betraying People with Their Own Trust
The VoIP telephony that enables vishing offers anonymity and elusiveness, both of which are essential elements in such crimes. Like all “confidence” schemes, vishing is rooted in a degree of psychological manipulation that bypasses any computer security system. The scam may begin online, but the real harm is done offline, when the target makes the phone call and the swindle is fully realized. Phishing schemes have been widely exposed and as a result, caused people to view e-mails requesting passwords or account numbers with a certain, reflexive suspiciousness. Vishing, however, is relatively new, and the request to call a familiar phone number and offer personal information appears far less dubious to most people."Like most other social engineering exploits, vishing relies upon the hacking of a common procedure that fits within the victim's comfort zone,” said Secure Computing’s Paul Henry in an article in Network World.
The telephone has long been a favored tool of “bunco artists” and confidence men. In a sense, vishing is a return to basics; a high-tech variation on the type of crime that uses peoples’ deeply ingrained emotions, such as fear—and the natural responses it triggers, like panic and impulsiveness—against them. The typical vishing scam begins with a warning about a possible security breach that demands immediate action, yet taking said action will actually cause the breach. It makes for a paradoxical sort of criminal jujitsu.
The Evil Genius Syndrome: Technology’s Neutral, People Are Bad
Identity thieves, like terrorists, have an uncanny ability to find new ways to use technology to break the law and wreak havoc, usually as authorities’ counter responses lag a step or two behind them. It’s an ever-evolving, always dynamic game of cat-and-mouse between criminals and law enforcement, the fallout from which ultimately affects consumers. As law enforcement officials and consumers become savvier, and as information about certain scams circulates, new scams based on emerging technologies or repurposed old technologies appear, and fraud-related losses rise.The conventional view is that innovation is inherently progressive, a force for good. In the hands of malevolent individuals, however, it serves as an effective weapon in their opportunistic schemes. Internet telephony, developed to provide cheap and convenient phone service to legitimate consumers, has proved useful to entrepreneurial crooks. And make no mistake: there is a degree of real initiative involved in a vishing operation, especially among the innovator(s) who discovered the scheme.
Law enforcement can’t assume the entire responsibility of keeping up with technologies that aid identity thieves. Perhaps it’s time to shift some of that responsibility to those in product development. No technology is foolproof, and we shouldn’t necessarily hold technologists and inventors accountable for misuses of their creations; yet, in the planning stages it might be useful if they would entertain the possibility that their inventions might be used for criminal purposes, and then imagine the ways in which this could be done.
Adopting this approach, they might be able to develop protections to thwart misuses of their product before its release. Ultimately, this could save a lot of people from becoming victims and make the job of law enforcement considerably easier. This may be just a pipe dream or a vague possibility. In the meantime, the only consistently effective means of prevention remains vigilance: caveat emptor—let the buyer beware. 
Advice on How to Avoid Becoming a Victim of Vishing
