1. Headline
  1. Headline
By Herb Weisbaum
msnbc.com contributor
updated 8/1/2006 8:14:11 PM ET 2006-08-02T00:14:11

The bad guys who want to steal your personal information have added a new twist to the “phishing” scam. They’re now using the telephone to capture your account numbers and PIN codes. Fraud fighters call it “voice phishing” or “vishing” for short.

  1. Stories from
    1. Beverly Carter Targeted Because She Was 'Woman Who Worked Alone': Suspect
    2. Attorney for Injured Tracy Morgan Says It's Unclear if He'll Ever Perform Again
    3. Jordin Sparks: I'm Returning the BMW That Jason Derulo Gave Me
    4. Bethenny Frankel Denies Returning to The Real Housewives of New York City
    5. Thomas Rhett Has a 'Really Great Day!'

Both scams start the same way, with a bogus e-mail made to look like it’s from your bank, financial institution or a trusted e-commerce site, such as eBay. It says there’s a problem, your account has been disabled and you need to contact them right away to get it running again.

A phisher tells you to click a hyperlink contained in the e-mail – which takes you to a bogus Web site that will harvest your account information. In the new scam, the visher’s e-mail tells you to call a phone number set up to do the dirty work.

In most cases, an automated response system answers the call and tells you to punch in the data the visher wants.

“It is very clever and a bit alarming,” says Bill Rosenkrantz, director of consumer products at the Symantec Corporation, a leading information security company. The fraudsters hope to fool people who know not to click a link in an unsolicited email that asks for personal information. Making a call might seem like the safe thing to do if you don’t realize that number goes to a crook.

Scams need to evolve
Phishing continues to be the number one scam on the Internet. The Gartner Group, a major technology research company, puts last year’s loss at $929 million. The good news is phishing is less effective than it used to be. “The value of phishing is slipping,” says Adam O’Donnell, a senior research scientist at Cloudmark, a messaging security company in San Francisco.

Fewer people are falling for the scam and companies whose names are being spoofed are able to get the phisher’s bogus Web sites taken down very quickly. “So the time put into launching a phishing attack doesn’t have the same payback,” O’Donnell says. That’s why the scam needed to be tweaked.

One of the most recent vishing attacks took place just a few weeks ago. It targeted the customers of Santa Barbara Bank & Trust, a small community bank in Southern California.

It was a simple text message that was made to look like it came from the bank’s online customer service department:

“After three unsuccessful attempts to access your account, your Santa Barbara Bank & Trust Online Profile has been locked. This has been done to secure your accounts and to protect your private information. Santa Barbara Bank & Trust is committed to make sure that your online transactions are secure.

Call this phone number (1-805-xxx-xxxx) to verify your account and your identity.

Those who fell for the pitch and dialed the number heard a simple automated message that said, “Welcome to account verification. Please type your 16-digit card number.” Since we’re commonly asked to punch in account numbers when we deal with financial institutions over the phone, this would not necessarily seem suspicious.

“Their e-mail blast shows a new level of sophistication,” says Paul Roberts, a senior editor at InfoWorld magazine. “It was targeted to people in the bank’s 805 area code. The phone number people were asked to call was also an 805 number. “You’d have to be pretty suspicious not to fall for that one,” he says.

Santa Barbara Bank & Trust is working with the FBI to find out who did this.  FBI spokesperson Laura Eimiller tells me they have traced the scheme to computers “inside and outside the U.S.” No arrests have been made. It is not known how much money, if any, has been lost.

Vishing is new and expected to grow. “In the last few weeks, we’ve seen increased attacks,” says Symantec’s Rosenkrantz. “We’ve seen attacks on local and national banks, as well as some online companies.”

Cloudmark’s O’Donnell also expects vishing to take off. “Once a con artist figures out a new way to pull off a scam, it tends to spread very quickly,” he says.

PayPal is one of the big companies being targeted. Sara Bettencourt, a company spokesperson, reminds customers that PayPal “will never ask for your full credit card number or account information via an automated system.”

If you receive one of these bogus PayPal emails you can forward it to spoof@paypal.com.

Bad guys are tech savvy
Internet telephone service makes it simple for scammers to get started and harder for them to be detected.  It’s very easy to establish a Voice over Internet Protocol (VoIP) phone number very quickly without all the same verification that’s required with traditional phone line.

“You can be in Russia and get a local area code phone number in Seattle very quickly,” Rosenkrantz explains. Victims who call that “local” number have no idea they’re being routed to a distant location via the Internet.

“Use your common sense,” advises Patti Poss, an attorney with the Federal Trade Commission. “What would you do if you were on the street and someone came up to you and asked for your credit card number? You wouldn’t do that!”

Likewise, you should never respond to an unsolicited email that asks for personal information. Don’t click a link. Don’t call a phone number.

If you want to find out if an email from a company you do business with is legitimate, contact them in a way you know is safe. If you call, use the phone number on your account statement. If you go to their Web site, type the URL in the address bar yourself; don’t click a hyperlink.

Before you share any personal information, stop and verify. Because if you do give it up to a con artist, it’s gone, and there’s no way to get it back.

© 2013 msnbc.com.  Reprints


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments

More on TODAY.com

  1. Joan Lunden: 10 things I wish I knew before I was diagnosed with breast cancer

    From the moment you hear the words ‘You have breast cancer,’ it’s almost like you’re shot out of a cannon. Here are 10 things I wish I knew before I was diagnosed.

    10/1/2014 10:52:45 AM +00:00 2014-10-01T10:52:45
  2. Want to help? A guide to breast cancer charities

    In the United States an estimated 296,000 women and 2,240 men will be diagnosed with breast cancer this year and almost 40,000 women and 410 men will die of the disease. That's one death every 14 minutes, according to the National Breast Cancer Coalition.

    10/1/2014 10:45:11 AM +00:00 2014-10-01T10:45:11
  3. Samantha Okazaki / TODAY
  1. Kevin Lamarque / Reuters

    Secret Service director resigns amid scandal

    10/1/2014 7:30:52 PM +00:00 2014-10-01T19:30:52
  1. Texas Ebola patient had contact with kids

    Texas Gov. Rick Perry said in a press conference on Wednesday that “some school-age children” had been identified as having contact with the man diagnosed with the first case of Ebola in the United States. 

    10/1/2014 5:37:52 PM +00:00 2014-10-01T17:37:52
  1. Samantha Okazaki / TODAY

    Plaza producer: TODAY's #PinkPower event was 'my best day on the job'

    10/1/2014 7:49:32 PM +00:00 2014-10-01T19:49:32
  1. Getty Images file

    Duchess Kate pulls out of charity event due to morning sickness

    10/1/2014 1:20:02 PM +00:00 2014-10-01T13:20:02