oice over Internet Protocol, or VoIP, which enables telephone calls over the Web, is considered a significant breakthrough in telecommunications with millions of legitimate customers. Unfortunately, criminals are also using the technology to hijack identities and steal money, according to the Federal Bureau of Investigation. The VoIP schemes are called “vishing.”
Vishing is a variation on the phishing tactic that has become so familiar to e-mail users. In phishing schemes, e-mail users receive messages that claim to be from their bank or credit card company asking them to update their account information and passwords (perhaps, it says cleverly, because of fraudulent activity) by clicking a link to what appears to be a legitimate Web site of that institution. It is, of course, just a ruse, nothing more than a system for collecting the victims’ identifying information.
Vishing schemes are slightly different and typically take one of two forms:
- In one version, the VoIP subscriber receives a typical e-mail message. But instead of being directed to an Internet site, the VoIP subscriber is asked to provide the information over the phone and given a number to call. Those who call the customer service number (a VoIP account, not a real financial institution) are led through a series of voice-prompted menus that ask for account numbers, passwords, and other critical information.
- In another version of the vishing scheme, a VoIP subscriber receives a phone call from another VoIP account and the caller (either a live person or a recorded voice) directs the VoIP subscriber to take action to protect their account. Often, the criminal already has some personal information on the subscriber, including the subscriber’s account or credit card numbers. That can create a false sense of security.
To the criminal, vishing has some advantages over traditional phishing tricks. First, VoIP service is fairly inexpensive, especially for long-distance calls, making it cheap to make fake calls. Second, because VoIP is Web based, criminals can use software programs to create phony automated customer service lines.
Thieves who give out phone numbers should be easy to track, but that is not always the case. Criminals can mask the number they are calling from, thwarting caller ID. And in some cases the VoIP number used by the criminals belongs to a legitimate subscriber whose service is being hacked.
Vishing is a new scam and many VoIP users may not yet know how prevalent it is or even what to call it. “A lot of would-be victims are reporting this as spam or phishing,” says Dan Larkin, chief of the FBI’s Cyber Initiative and Resource Fusion Unit. “But we know it’s out there. It’s happening.”
When local police officers are discussing telecommunications scams with constituents, they should always recommend reacting to a phone call or e-mail seeking personal information with a healthy dose of skepticism. If the recipient thinks the call is from a legitimate financial institution, he or she can always hang up and call back using the customer service number provided by the financial institution when the account was opened.
Also, the FBI asks local officers to refer complainants to the Internet Crime Complaint Center (www.ic3.gov) if they are a vishing victim or received a suspicious call or e-mail message. ■
From The Police Chief, vol. 74, no. 4, April 2007. Copyright held by the International Association of Chiefs of Police, 515 North Washington Street, Alexandria, VA 22314 USA.