Thursday, September 07, 2006

"Voice Phishing" to Steal Bank Information

Vancouver (CP, Craig Wong) - Consumers may have become wise to e-mail scams designed to steal bank account numbers and other personal information but fraudsters are now taking a new tack to get at their money over the phone, experts say.

"Our main concern there is these voice phishing guys were spoofing a method that legitimate institutions use very often in terms of getting a hold of their customers," says John Kane, a spokesman for the Financial Consumer Agency of Canada, a federal watchdog for the financial services sector.

"Our concern there was that consumers wouldn't really have a way of telling the real from the false."

The technique known in web lingo as "phishing" involves a scam artist posing as a bank or other official to convince their targets to give up sensitive information.

Older e-mail phishing scams prompt potential victims to click on a link on an official looking e-mail to confirm account details. Some refer to a recent security breach or an upgraded security system that requires verification, while others try to scare unsuspecting users with talk of recent repeated attempts to access their account from a foreign-based computer.

But while the newer scam may come in an e-mail, a more sinister version dubbed as "vishing" or "voice phishing" comes as an official sounding telephone message asking the unsuspecting consumer to call the bank back and at a number to confirm account details.

The number is actually set up by the fraudster, who uses an automated service that prompts consumers to "log in" by providing account numbers and passwords using the telephone keypad then captures those numbers.

"We figured people were already sensitized somewhat to the e-mail sort and even if it contained a phone number in it people were somewhat sensitized to that avenue," Kane said.

"What these fraudsters were apparently doing was using machines to call people automatically and leave a voice message on their home phone saying there's a problem, give us a call back at the bank and here's the phone number."

According to Phonebusters, the national anti-fraud call centre operated by the RCMP and the Ontario Provincial Police, there were 11,231 reported identity theft complaints last year that swindled consumers out of a total of $8.6 million in Canada.

Up to the end of February this year, there have been 1,137 identity theft complaints for a total of $1.9 million.

Maura Drew-Lytle, spokeswoman for the Canadian Bankers Association, said it isn't just bank account information the scams are trying to steal.

"Some of the phishing people have pretended they are the government trying to get your social insurance number. It is any sort of personal information that they can get to use to commit some sort of fraud," she said.

Drew-Lytle said Canadian banks may call and leave a voice messaging saying they suspect fraudulent activity on your card, but they will never send an e-mail to a customer asking them to call them back at a specific telephone number.

But even then, she suggested, someone concerned about a possible scam should call their bank back at the number listed on a recent statement from the bank or on the back of their bank card to confirm it is an legitimate inquiry from their institution.

"The other thing with phishing or vishing is that these are mass either e-mails or voicemails that are sent out to all kinds of people. They don't know who you are," said Drew-Lytle.

She said if the call is legitimate, it will address you by name and that's the same with email, not: "Dear valued customer."

"Legitimate companies when they contact you, know who your are, so they'll personalize it," she said.

Some advice for consumers who receive fraudulent calls looking to steal bank information

(CP) - Advice for consumers who receive a telephone call, message or e-mail purportedly from their financial institution they suspect may be fraudulent:

-Do not respond to an e-mail asking you to disclose personal information, such as an online password, your debit or credit card numbers or your personal identification number.

-Do not use the phone number provided in the e-mail or in the telephone message without first verifying that it is valid.

-To confirm a phone number provided is legitimate, contact your financial institution using a you have looked up yourself.

-As part of a legitimate conversation, you will not be asked to verbally provide your personal identification number or password.

-Always be cautious about how and with whom you share personal and financial information.

(Source: Financial Consumer Agency of Canada )