Websense Security Labs, San Diego, in June reported a scam that targeted customers of Santa Barbara Bank & Trust with an e-mail alerting them to a supposed problem with their account. Instead of directing them to click on a link, the e-mail listed a phone number for customers to call to verify their identity. When the victim called the number, a fake automated voice response system set up by the scammers asked them to enter their 16-digit account number using the phone keypad.
Earlier this month, a similar scam involving bogus Paypal account security warnings attempted to trick users into providing credit card information via telephone.
Voice phishing—or "vishing"—is dangerous because although most Internet users won't click on a URL in an e-mail, they're quite accustomed to entering their credit card or account number through a phone keypad, said Paul Henry, vice president of strategic accounts for security vendor Secure Computing, San Jose, Calif.
"This is really an evolution of phishing and a great example of how social engineering can be used to hack a normal human process," Henry said. Vishing can help criminals obtain detailed credit card data for use in identity theft, such as expiration dates and the three-digit security codes on the back of most credit cards, he added.