Maybe you were "Vished"?
From today's Wall Street Journal:
[Quoote]
Email Scammers Try New Bait in 'Vishing' For Fresh Victims
By ANDREW LAVALLEE
July 17, 2006; Page B1
For some time, banks and credit-card companies have been warning computer users about so-called phishing emails that link to counterfeit Web sites where customers are asked to enter their account numbers and other personal information.
Now, savvy con artists are adding a new twist dubbed "vishing."
Customers of Santa Barbara Bank & Trust recently received emails telling them that their accounts with the company's online banking system had been disabled after the bank detected unauthorized access. They were told to dial a telephone number (with a local, Southern California area code) where an automated voice prompted them to enter their account numbers, personal-access codes and other details. It's not clear who was on the other end of the phone line, but it wasn't Santa Barbara Bank & Trust.
The incident was among the latest in a string of vishing, or voice phishing, attacks. Security experts say such schemes are made possible by Internet-telephone services, which allow computer users to quickly establish phone numbers, often without undergoing some of the verification checks used by traditional telephone companies. Also, Internet phone companies dole out numbers with a choice of area code, regardless of where in the country -- or world -- the user is located. That can make it much more difficult to locate fraudsters.
The Federal Bureau of Investigation said it has traced the Santa Barbara scheme to computers inside and outside the U.S., but so far hasn't made any arrests. The phone number has been deactivated. It is unclear whether any money was stolen.
"Everyone's accustomed to the standard phishing attack," said Adam O'Donnell, a senior research scientist at San Francisco-based online security firm Cloudmark Inc. "Their banks have told them not to click on the URLs," but customers aren't as vigilant when it comes to the telephone. Automated voice prompts are now common on customer service lines, and many people have become accustomed to keying in their account information and other details before being able to speak to a representative.
Con artists might use data collected through vishing to access online bank accounts and transfer money, or to make fraudulent online purchases with a stolen credit card number.
Security experts said other regional banks, as well as eBay Inc.'s online-payment service PayPal, have been targeted. So far, the attacks appear to be geographically focused, directing recipients to local phone numbers. Analysts said scammers send piles of messages to email addresses believed to be located in an area, with the hope of reaching some customers of a particular company. In the Santa Barbara case, many people without accounts at the bank received the messages, a bank spokeswoman said.
In general, email-based phishing scams have been successful. Research firm Gartner Inc. estimates that consumers lost $929 million in such schemes last year. Still, public-relations campaigns from banks, along with new tools from security companies, have made phishing more difficult to pull off, said Paul Henry, a vice president at San Jose, Calif.-based Secure Computing Corp. Phishing has also become riskier for con artists, with the introduction of software that helps locate and unmask phony Web sites set up to steal information. "The anonymity of phishers was gone," he said. "With [Internet telephony], you can regain the ability to remain anonymous."
Internet-phone companies generally require customers to enter a home address and a billing address that matches the credit-card number used to establish an account. But "we can't verify that the person who's entering that information is being honest about who they are," said Huw Rees, a vice president of sales and marketing at Santa Clara, Calif.-based provider 8x8 Inc. "The telephone number people [are assigned] has no geographic meaning anymore," he said. "It gives you nomadic capability."
Cloudmark detected a vishing attempt in April in which emails purporting to be from a small bank in Philadelphia urged customers to dial a phone number to verify their personal details. By the time the security firm traced the number to an Internet-phone company, three days later, it had already been disconnected. "These things are very, very fast-acting," said Cloudmark's Mr. O'Donnell.
Earlier this month, a similar attack occurred in which email imitated PayPal, a frequent phishing target. The message told users to call a California-based phone number to update credit-card information "in order to prevent any fraudulent activity from occurring."
PayPal contacted authorities who traced the number to an Internet-phone service, and the number was shut down July 7, said Sara Bettencourt, a PayPal spokeswoman. She said she wouldn't say whether anything was stolen as the matter is still under investigation by authorities.
Santa Barbara Bank & Trust, meanwhile, has warned its customers about the vishing attack, and shared protection tips from the Federal Trade Commission -- namely, that customers should never turn over private information based on an email request. "We'll be on the alert for such things in the future," said Deborah Whiteley, a spokeswoman for parent company Pacific Capital Bancorp.
/quote
It is a little scary that area codes can be reassigned so easily. It takes the usefulness out of Caller ID!
-Skip
