IT security and control firm Sophos is warning computer users to
be extra vigilant about any emails which claim to come from
financial institutions, no matter how genuine the correspondence
appears. The warning comes as customers of a small credit union,
Kessler Federal, are being targeted with phishing emails that
attempt to cash in on a phishing warning posted on the
organisation's website, and entice worried customers to call a fake
phone number to verify their details.
Sophos experts note that to add credibility to the phish, the
cybercriminals have stuck very closely to the text used on Kessler
Federal's website and have included legitimate URLs which link to
official advice pages, as well as the proper email address for
reporting abuse. However, the phishers did change the date, text
and phone number at the bottom of the email in an attempt to
solicit phone calls to the posted number.
The email asks recipients to call a phone
number.
When dialled, users are greeted with an automated voice which
assures callers that they will not be asked for any personal
information such as a Social Security number. It then goes on to
ask for the customer's bank card number, followed by the PIN -
sufficient information for the cybercriminals to steal money from
the user's bank account at a cash machine, or to transfer funds to
an off-shore account.
Simply click on the arrow above to stream
the recording through your browser. Alternatively you can download it to
your MP3 player.
"By using genuine links in the email, the cybercriminals are
making it very hard for recipients to realise this is a phish.
What's more, most computer users are now wary of clicking on links
and entering their details, so asking customers to call to verify
their information further enhances the legitimacy of the email,"
said Graham
Cluley, senior technology consultant at Sophos. "Phishing
techniques are constantly evolving as the organisations and
customers involved wise up to the old tricks. Plus, it's not just
global brands that are being targeted - any size financial
organisations is valuable to phishers providing they can make their
scams seem legitimate and trick users into handing over their
personal details."
Sophos notes that this is not the first time that voice phishing
(known as "vishing") has been used to trick innocent victims' into
parting with their bank details. In 2006, PayPal users were
targeted
by a similar scam.
"There seems to be little that financial organizations can do to
stop criminals cloning their switchboards lock-stock-and-barrel,"
explained Cluley. "To combat the risks, users should learn to use
the telephone number on the back of their card or go into a branch
rather than trusting everything they receive via email."
Sophos recommends that users protect themselves with a consolidated solution that can defend against the
threats of spam, spyware, hackers and viruses; and that they
exercise caution with unsolicited emails.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.