Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Phishers Get Phoney

Zonk posted more than 8 years ago | from the punlarious dept.

236

Nick Johnson writes to mention a new twist on phishing. From the article: "The spammed message warns of a problem with a bank account and instructs the recipient to dial a phone number to resolve it. The caller is connected to a voice response system that is made to sound exactly like the bank's own system. The phone system identifies itself to the target as the financial institution and prompts them to enter account number and PIN."

cancel ×

236 comments

Sorry! There are no comments related to the filter you selected.

This... (5, Insightful)

danimrich (584138) | more than 8 years ago | (#15220912)

Makes me think that it is still the safest option to have customers do all their banking right at a teller.

Re:This... (4, Funny)

Whiney Mac Fanboy (963289) | more than 8 years ago | (#15220932)

Makes me think that it is still the safest option to have stupid customers do all their banking right at a teller.

speaking of stupid... (0)

thepotoo (829391) | more than 8 years ago | (#15221184)

What's the point to this whole thing?
I mean, arn't they fooling enough people in the status quo? Now, they have to pay people to act like they work for a bank, and have them on call 24/7.
The same stupid people are going to believe this (why would your bank email you asking you to call them?), so now the phishers will be losing money by paying actors, and not really getting enough extra to cover the cost.

Maybe it's me, but this makes no sense from a buisness standpoint.

Re:speaking of stupid... (3, Funny)

LearnToSpell (694184) | more than 8 years ago | (#15221204)

You know the woman who says "For English, press 1" isn't actually sitting there, right?

Re:speaking of stupid... (1)

sheehaje (240093) | more than 8 years ago | (#15221329)

Yeah, but the guy who says "Hello --- And welcome to Moviephone" may just be sitting there.

Re:speaking of stupid... (1)

gEvil (beta) (945888) | more than 8 years ago | (#15221424)

Well, Kramer's gotta make a living somehow...

Re:speaking of stupid... (3, Funny)

sacrilicious (316896) | more than 8 years ago | (#15221477)

You know the woman who says "For English, press 1" isn't actually sitting there, right?

No *wonder* she hasn't answered my letters.

No matter, I thought she was a little too aloof anyhow.

Re:speaking of stupid... (4, Interesting)

tlhIngan (30335) | more than 8 years ago | (#15221427)

I mean, arn't they fooling enough people in the status quo? Now, they have to pay people to act like they work for a bank, and have them on call 24/7.
The same stupid people are going to believe this (why would your bank email you asking you to call them?), so now the phishers will be losing money by paying actors, and not really getting enough extra to cover the cost.


I think the "Tragedy of the Commons" has struck the spam and phishing world. First, a few spams and you had a high return rate. Now that everyone's inbox is flooded, no one reads them anymore. So people turned to phishing, which made a lot of money. However, people realized that you know, the bank isn't going to send them alerts to *every* email account they have anymore (I get the same phish email in my home account (several copies), and my Gmail account), or as I mentioned in my anecdote, *several* copies. For the past week, Chase Online had a problem *EVERY SINGLE DAY*. The first time, maybe. The Nth time, well, it's obviously a scam.

Either that, or if one were to answer every phish, there would've been nothing left in the account beyond the first couple of phishers.

So now that everyone's into the phishing racket, all the low-hanging fruit is gone, since people get suspicious when the bank sends multiple emails on the same problem, or over the course of a week, or different problems with the same bank. It worked wonders when phishes were rare. Now that they happen daily, well.

Interesting how the Tragedy of the Commons can affect scams as well (which probably included a number of ways spam has evolved over the years).

But hey, calling a 1-800 number can be quite fun, since they're paying for the call. May be fun to do an automated calling thing that calls, presses random numbers, speaks sloooooooowwwwwwlllllly...

Re:speaking of stupid... (1)

Feanturi (99866) | more than 8 years ago | (#15221460)

phishers will be losing money by paying actors

Where does it imply anywhere in the article that phishers are hiring actors to make the phone system sound like the bank? That would be incredibly stupid. You've called a bank before right? You know, the way you don't get to talk to a real person until you have listened to their *recorded* menu options, and "for faster service" enter your bank card number, maybe even speak a password, etc. None of this needs to involve anything but a voicemail box with the right kind of greeting message in it, at the basic minimum. It doesn't really need to be interactive, the greeting can just explain more about the 'problem' mentioned in the email, and then: "At the tone, please enter your xx-digit bank card number, and your x-digit pin number. When you are finished, press the number sign." Convert the dtmf tones to numbers and you're in business.

Re:speaking of stupid... (0)

Anonymous Coward | more than 8 years ago | (#15221472)

/. seriously needs a moderation option of "-1: Stupid"

Re:This... (3, Funny)

vertinox (846076) | more than 8 years ago | (#15221222)

Makes me think that it is still the safest option to have stupid customers do all their banking right at a teller.

What if the Phishers send email with instructions for stupid customers to go into fake banks and do business with fake tellers?

Re:This... (1)

kbmccarty (575443) | more than 8 years ago | (#15221481)

What if the Phishers send email with instructions for stupid customers to go into fake banks and do business with fake tellers?

Maybe happening sooner than we think, given the other Slashdot article... [slashdot.org]

Re:This... (-1, Redundant)

Anonymous Coward | more than 8 years ago | (#15220933)

that was exactly what I was just thinking.

Re:This... (5, Funny)

Solra Bizna (716281) | more than 8 years ago | (#15220956)

Until somebody makes a whole fake bank branch building.

-:sigma.SB

Re:This... (5, Funny)

Hoi Polloi (522990) | more than 8 years ago | (#15221021)

Then they can fake accounts, fake investments, fake interest, and...hell, why don't they just open a bank?

Re:This... (0)

Anonymous Coward | more than 8 years ago | (#15221252)

Then they can fake accounts, fake investments, fake interest, and...hell, why don't they just open a bank?

Yeah! Their own bank! with blackjack ...and strippers!

Re:This... (1)

mike2R (721965) | more than 8 years ago | (#15221520)

I guess they just have some moral standards..

Re:This... (0)

Anonymous Coward | more than 8 years ago | (#15221040)

Is this idea patentable?

Re:This... (1)

smooth wombat (796938) | more than 8 years ago | (#15221068)

Considering someone has faked an entire company [slashdot.org] , that day can't be far off.

Then again, it's not much different than setting up a fake ATM [iol.co.za] somewhere and stealing the codes from people who swipe their cards.

Re:This... (0)

Anonymous Coward | more than 8 years ago | (#15221071)

This wouldn't be unsusual [slashdot.org] .

Re:This... (1)

Andy Dodd (701) | more than 8 years ago | (#15221085)

Given the recent article about the fake NEC, it isn't as funny as it seems.

Also keep in mind that ATM card/PIN farming is not unheard of.

Re:This... (1)

camperdave (969942) | more than 8 years ago | (#15221177)

...until you realize that the poster was playing off the aforementioned article to make a joke.

Re:This... (0)

Anonymous Coward | more than 8 years ago | (#15221364)

I think there's a "wellsfargo" in my grocery store that is just that. The tellers there are sooo stupid that it must be some kind of scam.

Re:This... (0)

Anonymous Coward | more than 8 years ago | (#15221405)

I'll make a whole fake bank branch building, with hookers and Black Jack. Ahhh, forget the bank.

Re:This... (1)

cosmos_411 (960901) | more than 8 years ago | (#15221521)

They better not! I hold the patent on that!

Re:This... (1)

notagraphicartist (841754) | more than 8 years ago | (#15220963)

Sooooo Banks charge "Teller Fees" to use the teller, ATM fees to use the ATM, and now, "have your account phished and all your money stolen" fees to use the phone. Free enterprise (with subsidized federal legislative assistance) rocks!

Re:This... (1)

silasthehobbit (626391) | more than 8 years ago | (#15220982)

I think my approach is safer.

I no longer have a bank account. I keep my cash in separate places and I'm getting a pre-pay credit card (https://www.3v.ie/)when I next go to Ireland.

Oh, and I disbelieve most things sent to me by people I don't know.

YMMV

Re:This... (1)

Hoi Polloi (522990) | more than 8 years ago | (#15221125)

From tellers to ATMS and then back to tellers? The business cycle would be complete! The irony would be delicious. Of course you'd just see lots of guys with foreign accents and phony mustaches going to banks to make "vithdravels".

I wonder if the phishers grumble about getting flooded with phony Citibank emails from their competitors?

Re:This... (1)

oliverthered (187439) | more than 8 years ago | (#15221129)

Yeh, like they ask you for any id when you change your address and say you've lost you cards. They didn't even check my date of birth!

Re:This... (1)

danimrich (584138) | more than 8 years ago | (#15221212)

But if it's their error they normally have to pay for it.

Re:This... (0)

Anonymous Coward | more than 8 years ago | (#15221458)

The only fly in that ointment is most banks now charge for you to interface directly with a teller...

Re:This... (5, Insightful)

buelba (701300) | more than 8 years ago | (#15221540)

The real safe option is only to call the number printed on the back of your credit/debit card. What's amazing is how badly the banks are set up for this. The following happens to me at least twice a year:

1. I travel for work, and use my credit card for all kinds of things I don't usually buy, like hotel rooms.

2. My wife keeps using the same card for all the stuff we usually buy.

3. The computer says: hey, someone maybe stole the card and is running up all those hotel charges!

4. A human from the security department calls us to verify, gets voicemail, and leaves a callback number that is NOT the callback number on the card.

5. I call back the number on the card. The human there says, "why don't you call the number they gave you?" I explain. They think about it and realize this makes sense. About 15 minutes later, I'm connected to the right people -- usually after going through a supervisor at the call center.

The right way to do it, of course, is to have the human from the security department leave this message: To call us back, call the number on your card; then, immediately enter the following code to be directed to the right department. But they still haven't learned.

I shudder to think what will happen when I'm eventually home when they call. I certainly won't do anything except hang up and call back the same number.

Fup, Fup (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#15220923)

Fup, Fup

Ah, but how.. (5, Funny)

Squalid05 (850603) | more than 8 years ago | (#15220938)

..do they know what bank i use? I've had emails from banks all over the world regarding my "account". The only email i havent got yet is from the bank i actually use!

Re:Ah, but how.. (4, Interesting)

GroinWeasel (970787) | more than 8 years ago | (#15221004)

I've had phishing emails that were for the right bank: and even had the right address in it (except for the fact taht I moved from the address 2 years ago...)

Phishers are getting better, and I suspect they have friends within the banks.

Re:Ah, but how.. (4, Insightful)

corbettw (214229) | more than 8 years ago | (#15221104)

I've had phishing emails that were for the right bank: and even had the right address in it (except for the fact taht I moved from the address 2 years ago...)

Sounds like they ran a credit check on you. All that information is collected by credit reporting agencies (believe it or not, how long you've had an account with one bank, and the average deposits, goes into your credit score...at least, that's my banker told me when I opened my account with her). And I know addresses are kept in credit checks, since the last time I checked mine (last summer) it had addresses going back to 1998. Handy, since around the same time I had to submit all those addresses for my background check when I got my Series 7 and 65.

Long story short: don't ever give out your SSN to anyone unless you're getting money/credit from them. And minimize how many people you do business with in that regards.

Wanna know the easiest way to get a list of current addresses and SSNs?* Send out a mailing to 100,000 people in a given city, offering a car loan or something (which of course you have no intention of actually giving them). Statistically, at least 1000 of them will send you their full name, address, SSN, bank account information, even mother's maiden name. And yes, people are that stupid.

*I don't know if anyone's ever done this, and if it happens after this I specifically disclaim any responsibility for it.

Re:Ah, but how.. (0)

Anonymous Coward | more than 8 years ago | (#15221507)

don't ever give out your SSN to anyone unless you're getting money/credit from them

Best. Advice. Ever.

I have one exception to it, though. The power company in the region where I live uses a 3rd party check-payment processor to do their online bill-pay direct debit transactions. Signing up with that bunch of goons requires you to give out your SSN. They use it to verify your identity with the credit reporting agencies. I figure I'm giving them my bank account number anyway, so it really doesn't matter whether I'm giving them the SSN too. Financial ruin, here I come!

Re:Ah, but how.. (2, Interesting)

CastrTroy (595695) | more than 8 years ago | (#15221547)

There was a scam run a little while back up in Canada where they put out a fake job posting. People were asked to send in SIN, and other private information, and many of them did. They used this info to get credit cards and such in the people's names. They got pretty far before they were caught.

Re:Ah, but how.. (1)

955301 (209856) | more than 8 years ago | (#15221292)

But...if...they... have.... friends....in the bank.....with your information....

Oh, nevermind.

Re:Ah, but how.. (1)

jtownatpunk.net (245670) | more than 8 years ago | (#15221060)

Um...They don't need to. If they send a BofA spam to ten thousand people, chances are a lot of them will have accounts with BofA.

Re:Ah, but how.. (1)

LunaticTippy (872397) | more than 8 years ago | (#15221242)

Now that chase finally bought my regional bank I can look forward to spam "directed" at me. I feel paranoid since they bought my mortgage a while back and now this. I must be very tempting as a customer for them to buy a whole bank just to get my business!

BofA. Bastard Operator From AOL

Re:Ah, but how.. (2, Funny)

Mayhem178 (920970) | more than 8 years ago | (#15221141)

That's crazy talk. Online banking isn't the way to go! The real money is in those desperate Nigerian money transfers. Hell, I've won the UK lottery at least 20 times. I should be the richest man in the world by now.

Now if you'll excuse me, I'm gonna buy some cheap Viagra and refinance my home.

Re:Ah, but how.. (1)

Hoi Polloi (522990) | more than 8 years ago | (#15221176)

The key is to be a customer at a bank that doesn't give a shit about you. Then you always know all emails are phony.

Re:Ah, but how.. (1, Funny)

Anonymous Coward | more than 8 years ago | (#15221438)

The key is to be a customer at a bank that doesn't give a shit about you.

Is there any other kind?

Re:Ah, but how.. (1)

TheDauthi (219285) | more than 8 years ago | (#15221284)

All any phisher would need [in decreasing order of difficulty] is to have is your routing number or partial credit file or the information from your banks' "partnership" program. Think about every time you make an electronic payment... do you really trust every company and every person working for each of those companies?

Re:Ah, but how.. (1)

roach2002 (77772) | more than 8 years ago | (#15221376)

You just reminded me about the favorite thing about trying to teach my parents about phishing. They get phishing attempts from banks that aren't theirs and delete them, but if they got a phishing attempt from someone impersonating their bank, or eBay, they'd click it an instant.

They can only tell phishing attempts from not having an account.

Re:Ah, but how.. (2, Insightful)

955301 (209856) | more than 8 years ago | (#15221429)


Here's one idea. Your actions.

Start up a phishing cluster. Collect authentic notices from various banks (fidelity investement statement notice, etc). Fire copies of these notices to "customers" in an html email. Add a graphic touch to a node in your cluster with a uid traceable to that email address. This email should otherwise be harmless and point to the actual institution - this leaves you with great options on what to email - Retirement tutorials, account statement notices, privacy statements.

If the customer has an account there, they are likely to open the email. By opening it, your cluster is pinged and notified that this email worked.

So now you have a more probable positive hit. Send them a customer service request to call and discuss apparent fraudulent transactions on their account.

Wow (1)

fish_in_the_c (577259) | more than 8 years ago | (#15220945)

How do you defend against this one. Or one better what if
'the bank' called you and said your account had been compromised and they need to reset your password. 'to do so of coarse they need to verify your old password' or you can go-online and change your password.

What's the next step. Setting up a phony bank branch and asking you to come into it?

Maybe I should just start using only cash.

Re:Wow (0)

Anonymous Coward | more than 8 years ago | (#15220993)

How do you defend against this one.

Easy, never trust anyone who contacts you. If they make you worry about something, then find the phone number or web address through normal means.

Re:Wow (2, Funny)

Rosco P. Coltrane (209368) | more than 8 years ago | (#15221002)

What's the next step. Setting up a phony bank branch and asking you to come into it? Maybe I should just start using only cash.

Yeah. I bet you that shiny $3 bill in my wallet that cash is a lot safer than banking...

Re:Wow (1)

Compholio (770966) | more than 8 years ago | (#15221026)

What's the next step. Setting up a phony bank branch and asking you to come into it?

... visit our new location at 25th and Wells and sign-up for our Totally Free Checking(tm) with Free iPod(tm) *! * Some terms and conditions apply, business may not actually be a subsidiary of Stealing Your Money Banks.

Re:Wow (1)

Java Pimp (98454) | more than 8 years ago | (#15221030)

If you aren't sure, call the number on your credit card(, bank statement, utility bill, phone book or whatever other trusted source you know is legit) and verify it that way.

Re:Wow (1)

GroinWeasel (970787) | more than 8 years ago | (#15221036)

Excellent point: how many people think to question if its _really_ the credit card company calling you?

The answer: ask what the issue is, then hang up and call the company yourself to sort it out.

Re:Wow (0)

Anonymous Coward | more than 8 years ago | (#15221167)

I had a phone call from my bank a year or two ago asking for account details whilst trying to sell me some new account feature I didn't want.

I had a rant at them about security, that if the bank did this, then people would think it was normal behaviour, and then when the phishers did it they'd succeed. Naturally I didn't give them any of my details. I bet the buy just went on doing the same without even thinking about the issue or raising it with a superior.

So to you, Halifax Bank, your company is run by retards who don't consider these issues even though they're pretty damn important.

Re:Wow (1)

canuck57 (662392) | more than 8 years ago | (#15221049)

'the bank' called you and said your account had been compromised...

Be careful about that one. They might call you and say they are from the bank.

When I get such a call, I look the number up that is on my statements and call them back.

Unfortuantely our legal systems are just too limp to charge these fraudsters with conspiracy to fraud, theft, whatever applicable laws in place they break. This fraudster should be trival to catch.

Re:Wow (1)

Flaming Babies (904475) | more than 8 years ago | (#15221050)

How do you defend against this one.
By not accepting the phone number they give you as valid
without verifying the issue using a number for the bank that you know is valid.

Re:Wow (5, Interesting)

aussersterne (212916) | more than 8 years ago | (#15221147)

In the area where I live there has been a more serious "phone phish" going on. You receive a call from someone and claiming to be a police officer. They say that they're very sorry to have to inform you that your mother/father/son/daughter/sister/bother has been involved in a serious crash and is being flown by emergency helicopter to regional hospital X. So that the hospital is able to treat them the moment it touches down, the officer is trying to complete necessary admittance and insurance paperwork in advance, and what they need from you is your insurance policy number *and* the full name, address, phone, credit card number, and social security number of someone who can be billed in the event that the insurance policy is unwilling to cover the necessary treatment.

From what I understand, these scammers have been doing pretty well, unfortunately, and as far as I know there are few leads. The public hasn't been told why... maybe they're using convenience store phones and/or pay phones.

Re:Wow (1)

w1r3sp33d (593084) | more than 8 years ago | (#15221157)

I've installed IVR's before, some for banks, but I was surprised a few months ago when I got a call on my cell with a blocked caller ID saying there was a potential fraud issue and that I needed to enter in my credit card number and my complete SSN. Needless to say I hung up on that one.

I called the 800 on the back of the card, only to find out that it really was the credit card company's IVR that called and there really was a fraud block being put on my card awaiting some verification info.

I suggest you ignore the initial call, but actively call the bank back since they won't be able to steal the actual 800 number even if they can display it in your caller ID.

Re:Wow (1)

LunaticTippy (872397) | more than 8 years ago | (#15221297)

I wonder if any scambait has been set up at probable misdials "near" the real 800 number. That'd be truly devious.

Yo Ho Ho! (2, Funny)

Hoi Polloi (522990) | more than 8 years ago | (#15221202)

The answer is to take all your money, convert it into gold coins, then bury it in a chest on an uninhabited island. Don't forget to kill the pirates who helped you bury it before leaving. Celebrate with a bottle of rum.

Re:Yo Ho Ho! (1)

MyNameIsEarl (917015) | more than 8 years ago | (#15221569)

The answer is to take all your money, convert it into gold coins, then bury it in a chest on an uninhabited island. Don't forget to kill the pirates who helped you bury it before leaving. Celebrate with a bottle of rum.
But why would I take people who download music/movies illegally to help me bury my treasure.

Re:Wow (1)

Colonel Angus (752172) | more than 8 years ago | (#15221566)

I've refused to answer any questions of a personal nature if I am called. I said that I would call back the number I have on my bank card and discuss the matter with whomever picks up my call. The person who made the original call has always been completely understanding of my choice to do so.

evolving (5, Interesting)

brenddie (897982) | more than 8 years ago | (#15220971)

It seems that phishing is evolving but they are getting forced to use more risky (for the phisher) methods. A phone number feels more physical than a web presence so it should be easier to track besides this has to be breaking some "dont screw around with the phone" federal law.

Re:evolving (1)

geoffspear (692508) | more than 8 years ago | (#15221412)

Online phishing is already a violation of those very same federal wire fraud laws. This doesn't seem to be slowing it down.

Some revenge possible? (5, Insightful)

kanweg (771128) | more than 8 years ago | (#15220988)

So, what if you enter a random number with random PIN. They have to go thru the trouble to make the card, only to find out it doesn't work. And their face pop up at the video camera's of the ATMs all the time with failed withdrawals.

Bert

Re:Some revenge possible? (1)

Viol8 (599362) | more than 8 years ago | (#15221018)

If someone goes to this sort of trouble to get your details they won't
be using them to get a few hundred here or their out of ATMs. No , you'll be
buying Mr Nthungu Kwaweli of Lawless Province, Nigeria, his 4th AMG SL 600 and
a side order of AK47s.

Re:Some revenge possible? (1)

n2art2 (945661) | more than 8 years ago | (#15221190)

Better yet.

Then their gun supplier can just kill them for non-payment. Oh wait, that won't work, cause I'm guessing they only accept cash.

Re:Some revenge possible? (1)

LunaticTippy (872397) | more than 8 years ago | (#15221361)

Then why do they always want your pin?

Re:Some revenge possible? (1)

rk (6314) | more than 8 years ago | (#15221551)

Then I want to know who he buys from, because if he raids my account, he'll be lucky to get a full tank of gas and a couple magazines for one of his AK47s.

Re:Some revenge possible? (2, Informative)

venicebeach (702856) | more than 8 years ago | (#15221344)

They have to go thru the trouble to make the card, only to find out it doesn't work. And their face pop up at the video camera's of the ATMs all the time with failed withdrawals.

I doubt they are making cards and showing up an ATM machine to use these numbers. They can buy merchanise over the internet, using each of their collected numbers until one works. Having a few bad numbers or accounts with little cash in them does not pose a significant problem to an operation like this.

Mummy (3, Interesting)

JamieKitson (757690) | more than 8 years ago | (#15220996)

My mum was called by a recorded message from my bank, asking for my date of birth, she assumed it was a fake (horrah!) and put in a wrong birth date. It turned out to be genuine, they were checking that my mistaken PIN attempts were me and not somebody else :)

Again the basic rules apply (5, Insightful)

JoeyB (969202) | more than 8 years ago | (#15221043)

No one will ever ask you for your account number or pin. This is not so much a new twist as good old basic social engineering. It stands to reason NEVER to trust any unsolicited form of communication unless you check it out and NOT by calling the number the phisher provides.

Re:Again the basic rules apply (1)

sisukapalli1 (471175) | more than 8 years ago | (#15221164)

"No one will ever ask you for your account number or pin. This is not so much a new twist as good old basic social engineering."

Many credit card companies usually ask for the account number. In fact, I had one company asking for SSN. Once I signed up for a silly credit card to get the "goodies", and they approved it. I didn't use it at all, and was hit with a yearly fee. Fine. I call the number that came in the email, and the first thing was "please enter your SSN number". It took me a while to figure out whether it was the right thing or not. Eventually found out that it was the correct company. S

Re:Again the basic rules apply (1)

gEvil (beta) (945888) | more than 8 years ago | (#15221317)

Hmmm. ALL of my credit card companies ask you to either key or speak your CC# when you call them.

Re:Again the basic rules apply (3, Insightful)

mizhi (186984) | more than 8 years ago | (#15221541)

Incorrect. All the companies I call ask for identifying numbers. Whether it be Phone#, last 4 SSN, CC, or Account#. Granted, when I call them, they usually ask for 2 or 3 piece of information to match up; such as mailing address, birthday, etc.

And just to cut the inevitable snarky comment off, yes they are the actual companies.

You are correct though. If you get an unsolicited contact through email or on the phone, don't trust them. If they are really from your institution, tell them you'll call them back on a number you know to be legit. If there's really a problem with your accounts that you need to know about, whoever you get on the line will know what it is. If there isn't, well, good job, you're helping against phishers by notifying the institution that someone is targeting people in their name.

On the Menu (1)

Billosaur (927319) | more than 8 years ago | (#15221082)

Phishing scams are prevalent and continue to proliferate. In traditional scams, miscreants try to pilfer personal information by sending spam e-mail with links to a malicious Web site, crafted to look like a site belonging to a trusted service provider. The phone scams are a new twist, made possible by cheap Internet-based telephone services, Cloudmark said.

Fresh phish with a side of Skype, anyone?

Not to belabor the point that all the other posters have made so far -- it's just another example of human stupidity. If it doesn't occur to them to check at their local branch first then they're asking for trouble. Of course this ends up impacting senior citizens more than anyone. After all, given age and occasional infirmity, they'd be easy marks, probably trusting the phone more that email. I'm sure the spectrum of dupes is pretty broad, but mark the elderly especially vulnerable, mitigated by the fact that not too many of them are using the Internet as extensively.

To wander a bot off the topic, when they were building a new PNC Bank branch in my area, that had a Winnebago parked nearby that was apparently a mobile bank, with tellers and even an ATM machine in the side. Far from building a brick-and-mortatr branch, that seems a far more effective way of physically duping people, especially if you have all the trappings.

Still requires stupidity to work (1)

kratei (924454) | more than 8 years ago | (#15221098)

"As a precaution, people should not dial phone numbers received in an e-mail message and should double-check and dial the numbers printed on ATM and credit cards instead, it advised."

Um, duh! If you don't check the numbers you deserve to have these nice people borrow your money. Anyway how is this "new"? I've seen phone numbers in scam email before.

For this level of effort... (4, Insightful)

csoto (220540) | more than 8 years ago | (#15221105)

one would think these guys would just seek gainful employment.

Re:For this level of effort... (2, Interesting)

foniksonik (573572) | more than 8 years ago | (#15221246)

hmmm well they can spend a couple grand setting it up, spend some time on it to get it right, then wait for a few good hits to come in... jackpot, several grand per hit... 3-30 times their investment or more, much better return than investing or gainful employment, plus they're probably doing this on multiple platforms/scams so multiply the return and you've got some pretty nice salaries coming in, all tax-free. Add to this that they are most likely living somewhere where cost of living is relatively low while quality of life is high... Caymans, Virgin Islands, or the like, hell could be living in Senegal or some other nice to wealthy people African nation, where you can live a high life for a few grand a month (which is like spending 10 or 12 grand a month in the US easily)...

Education is the best solution (1)

jbarr (2233) | more than 8 years ago | (#15221106)

If you have family or friends who are less than computer saavy, take the time to explain the issues and concerns to them. I get questions all the time about whether this or that is a scam or not. Do I get annoyed by it? of course! But it's certainly a lot less painful than having to deal with the after effects of someone who got stung.

Security & Stupidity (2, Insightful)

VincenzoRomano (881055) | more than 8 years ago | (#15221108)

Why should an insitution (not just banks) ask me for details they are supposed to already know?
No security technology or technique is strong enough to defy stupidity!
And phishing exploits stupidity!

Re:Security & Stupidity (1)

Brix Braxton (676594) | more than 8 years ago | (#15221135)

I don't know if I would classify it as stupidity. It doesn't seem like it would be unusual for a credit card company to ask you to enter your pin to prove that you have rights to access account information.

Re:Security & Stupidity (1)

VincenzoRomano (881055) | more than 8 years ago | (#15221233)

it would be unusual for a credit card company to ask you to enter your pin to prove that you have rights to access account
I don't know. But usually users call the institutions at well defined numbers, not the reverse.

Re:Security & Stupidity (1)

Brix Braxton (676594) | more than 8 years ago | (#15221356)

Yes, but this scam emails a user - tells them they have a problem and to call the phone number listed in the email to resolve it. That gives it more credibility. A user might think that banks are now providing the phone number to combat phishing - as a precaution. If it were a 1-800 number, it would be even more credible.

800 Number? (2, Insightful)

Transplant (535283) | more than 8 years ago | (#15221111)

I wonder if these guys were stupid enough to use a "1-8XX" number. Oh the fun that could be had making them pay...

Fake Banks are Next? (1)

digitaldc (879047) | more than 8 years ago | (#15221123)

Phishing has gone extreme and so have the tactics.

The other day I walked up to what I thought was my bank and looked in only to find an empty lobby with a server and phone switching system behind the counter.

Safer? (1)

FirmWarez (645119) | more than 8 years ago | (#15221166)

Safer in a bank? I've never received a phishing e-mail that included an armed robber. It's really simple; banks don't e-mail you asking for info.

Phone service security filter (1)

foniksonik (573572) | more than 8 years ago | (#15221169)

Sounds like the banks need to add a security filter to their automated phone systems similarly to what they've begun doing on their websites... like Bank of America for instance now has a picture display above the password input, a picture that you pick out from a selection of pictures, which is pulled from a database and has a unique id. If the pic shown on the password input page is not the one you've selected, then you know you're on a phishing site.

For automated phone systems, there could be a word or phrase that you pick from a selection of phrases... when you use the system and put in your account number, it will ask you to confirm the following phrase is the one you selected, will repeat the phrase, you press a button to confirm, then if confirmed you put in your pin number.

No more phoney phishing

Re:Phone service security filter (2, Insightful)

LunaticTippy (872397) | more than 8 years ago | (#15221436)

Both of these ideas are handily defeated by man-in-the-middle attacks.

You visit a website. It visits your banks website. You type in your account number. It types in your account number. Etc.

Same for the phone. It could simply conference you to your bank and listen in to everything you do. You're dealing with your own bank, so you wouldn't suspect anything. They'd have all your info.

Authenticated email (1)

Jeremi (14640) | more than 8 years ago | (#15221267)

The banks really need to get together and figure out a secure, standardized, open protocol for sending authenticated emails. Otherwise, shennanigans like this just get more and more sophisticated until email becomes next to useless for business transactions (because you can't trust anything your email says, ever).


As for how this could be implemented, I'm not sure, but it seems to me that banks (working together) have enough technical skill and influence over their customers (and by extension, over the software their customers run) that they could make it work one way or another.

Re:Authenticated email (1)

gravesb (967413) | more than 8 years ago | (#15221336)

Or banks could refrain from sending e-mails, period, like most do. Most banks are pretty good about warning their customers to ignore e-mails. All communication is done by letter, or a phone call requesting the client come to the branch. Not 100% of banks do this, but I think we will see more and more go this way.

Re:Authenticated email (1)

bmetzler (12546) | more than 8 years ago | (#15221363)

The banks really need to get together and figure out a secure, standardized, open protocol for sending authenticated emails.

It's already been done. They just need to sign up as GoodMail clients and they are all set.

Brent

Re:Authenticated email (1)

zerosix (962914) | more than 8 years ago | (#15221367)

The problem is noone uses encryption even though it's out there...

The trail gets lost (1)

foniksonik (573572) | more than 8 years ago | (#15221334)

Just thinking that a likely situation is this...

Use a previously scammed credit card to set up a free to call in phone system, which you can get through several service companies to create surveys, etc. this would clear you of any connection with the number itself and stop any backtracking investigation....

Use a cash prepaid temporary cellphone to call in to retrieve said info, probably by having it email the data to an anonymous hotmail account or some such... use a zombie PC to download/access said account, store on USB drive.... voila.

Completely anonymous collection process, with the only backtrack leading to a victim's credit card account and a IP trail leading to a throw away Zombie PC located in another country altogether.

Russians (0)

Anonymous Coward | more than 8 years ago | (#15221354)

Here in the UK there is a distubing new development. Certain ATM machine have been tampered with and now have a false front. When you put your card in the slot, your account details are captured and a camera records you inputting your pin number. At a later date, the false front is removed and the data is retrieved.

Apparently, Russian gangs are responsible. . .

http://news.bbc.co.uk/1/hi/england/tees/3516236.st m [bbc.co.uk]

All of this comes from Spam (2, Interesting)

mabu (178417) | more than 8 years ago | (#15221389)

This is all the result of spamming. At what point are the authorities going to take the spam problem seriously? This is what I want to know. The main way worms, counterfeit products, illegal drug sales viruses, adware, trojans, backdoors, phishing, and other things propagate is via UCE. Every system spam passes through has records on where it is coming from and where it is going. Even with the jurisdictional issues, there should be more action and prosecution from various authorities of spammers. Why there isn't is mind boggling. If we can shut down some of these spam gangs, most of this activity will stop.

The $64M question is why the Feds don't seem to be interested in stopping spammers? I refuse to believe they are that incompetent. Any decent network admin could track these spammers to a physical address within a few days.

Re:All of this comes from Spam (3, Insightful)

gravesb (967413) | more than 8 years ago | (#15221514)

I refuse to believe they are that incompetent.
Then you've never worked for the government.

mo3 dowN (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#15221493)

phone vs web address (1)

mapkinase (958129) | more than 8 years ago | (#15221522)

So the change of the hook up point is web address->phone number.

Web address is easier to check right away without going there, but phone numbers are still checkable. I actually always google the owners by googling them.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>