A new round of voice phishing—known as vishing, for short—is leveraging old-school phone calls and social engineering to purloin credit and debit card information from unwitting consumers.
“Vishing can start with an email or a text, but the ultimate goal is to get you on the other end of a telephone line,” said Christopher Boyd, a researcher at MalwareBytes, in a blog. “From there, the scammers will go about harvesting your data by pretending to be your bank and asking for card information.”
For instance, an email purporting to be from a bank may come in that says something like:
“Our monitoring system has detected unusual transaction on your credit card. Please call our 24-hour customer service hotline at [snip] for verification. For your security we have placed your card on temporary hold while awaiting your confirmation.”
Or one may receive a text that reads:
“VISA ALERT: Your debit/credit card has been temporarily disabled. Please call the VISA 24-hour reactivation line.”
Boyd called the number included in one such gambit and was directed to an automated message tree, which asked for various pieces of information to be keyed in, presumably to look more 'legit,' before asking for a card number, expiration, three-digit code and PIN number.
Detecting the scam is simple: “Most (if not all) banks are very vocal about the fact that they won’t solicit personal information from you,” he explained, adding that if in doubt, consumers should always call the bank’s real number to determine whether an incident has actually occurred.
“As long as you’re passing on the information via a call you yourself initiated, you’re in a much safer position than dialing random numbers sending texts to your mobile,” he said.
Vishing is not uncommon: A survey last year suggested that one in 25 adults in the UK may have been a victim of it.
There are various vishing vectors as well; while this latest effort starts with email and texts, typically the criminal will make a cold phone call to a potential victim, posing as someone from a bank, the police or another legitimate organization (such as a telephone or internet provider). But it always ends the same way: they attempt to obtain financial information that often includes credit/debit card details (including PIN), bank account details and personal information, such as full name, date of birth or address.