Are users becoming more wary of link clicking in email? Are they getting savvy to the tricks of the email phisher? Certainly there is some evidence that the security message is starting to get through to the masses, but not nearly quickly enough to turn the phishing tide in my opinion. Whatever the case, it appears that ID thieves need to find their own unique selling point in order to stand out in a sea of scam. Anti-virus specialist Sophos has uncovered one such attempt, where the phisher uses a new twist to con PayPal users into revealing credit card details.
It starts off as any other PayPal scam, claiming fraudulent activity on the recipients account and requiring contact to confirm personal details to reactivate it. But there is no typical ‘click here to confirm’ link that opens a convincing fake site with login screen to capture username and password followed by a form to capture financial detail. What there is, is a telephone number to call in the US that leads to a voice message purporting to be ‘account verification’ and asking the caller to enter their credit card number to match the one they supposedly have on file. This is a lot cleverer than at first it may seem, as users have been conditioned by security experts and the media alike to be rightly wary of link clicking in email messages. What is more, those same advisors will often say that if in doubt you should telephone the company concerned. With companies like PayPal operating almost exclusively online, including support, and not exactly publicizing telephone numbers it plays right into the scammer’s hands on all counts.
What is more, the phishing crew behind this one has used software that knows what a genuine credit card is, and if the user enters an incorrect one they will be prompted to re-enter: so enhancing the feel of legitimacy and reducing suspicion. Although this particular phishing attempt is far from crude, it seems certain that the phone phishers will quickly become more mature and accomplished. Sophos warn that the harvesting of messages from corporate switchboard systems, so as to fool callers into thinking they have the real thing on the end of the line, is a likely next move.
You can read more and listen to an actual recording of the VoIP phishing scam at Sophos.