Scammers have begun using the telephone to harvest data for use in identity theft and credit card fraud, and voice-over-IP is making it easier for them to cover their tracks.
Websense Security Labs last month reported a scam that targeted customers of Santa Barbara Bank & Trust with an e-mail alerting them to a supposed problem with their account. Instead of directing customers to click on a link, the e-mail listed a phone number for customers to call to verify their identity. When victims called the number, an automated voice-response system asked them to enter their 16-digit account numbers using the phone keypad.
And in early July, a similar scam involving bogus Paypal account security warnings attempted to trick users into providing credit card information via telephone.
Paul Henry, vice president of strategic accounts at Secure Computing, a San Jose, Calif.-based security solution provider, said voice phishing is dangerous because although most Internet users won't click on a URL in an e-mail, they're quite accustomed to entering credit-card or account numbers via the phone keypad.
"This is really an evolution of phishing and a great example of how social engineering can be used to hack a normal human process," Henry said.