New Targets

Beware of ID Theft via Your Digital Phone Service

By Jennifer Martinez

If you haven’t heard of vishing yet, you’re not alone. It’s the latest in techniques used to commit identity theft.

Vishing (or voice phishing) uses Internet-based Voice over Internet Protocol (VoIP) phone services to trick people into revealing private data -- which is then used for identity fraud. Here's how "vishing" works, and how you can protect yourself against it.

Phishing by phone
ID thieves have perfected an online scam called "phishing," in which they send mass email messages announcing an "urgent account problem." Recipients are asked to visit a web site to clear up the problem. The web site appears to be the legitimate site of a merchant or financial institution, but account information is immediately stolen and used to commit ID fraud.

But with consumers getting wise to online phishing, thieves are now exploiting new Internet-based (aka VoIP or digital) phone services. In this case, thieves use email or automated phone messages to notify consumers of "account problems." Recipients are asked to call a toll-free number to resolve the problem. When victims call, they hear what sounds like a legitimate automated phone message. Victims are asked to provide account numbers, passwords or social security numbers, which are then sold on the Internet and used to commit identity fraud.

A problem of trust
Vishing mimics the legitimate ways people interact with their financial institutions, so victims are more likely to respond without hesitation. People trust phone transactions more than they trust the Internet, because the traceability and cost of landline or cellular phone service make mass phone fraud impractical.

But VoIP service has rendered that security blanket almost inoperative. Many Internet-based phone companies make it easy to obtain an anonymous account and to handle large call volumes at little cost. This inexpensive software lets thieves create an interactive voice response system that sounds exactly like the one your bank uses -- even matching the on-hold music. Traditional antiphishing tools cannot easily detect a phony telephone number within email text, so protection against vishing is up to the user.

How to protect yourself
It's a good idea to use common sense whenever your ID information is involved.

• Never respond to an email or voice mail that asks you to go to a web site or call a phone number to resolve an account problem. These are never legitimate.

• If there is any question, call the merchant or institution at a number you know is genuine.

• Get into the habit of asking for authentication. For example, ask the person at the other end of the line to verify a recent transaction you've made. A thief is not likely to have access to this type of information.