Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishers Get Phoney

Posted by ryuzaki0 on from the punlarious dept.

Nick Johnson writes to mention a new twist on phishing. From the article: "The spammed message warns of a problem with a bank account and instructs the recipient to dial a phone number to resolve it. The caller is connected to a voice response system that is made to sound exactly like the bank's own system. The phone system identifies itself to the target as the financial institution and prompts them to enter account number and PIN."

16 of 236 comments (clear)

  1. This... by danimrich · · Score: 5, Insightful

    Makes me think that it is still the safest option to have customers do all their banking right at a teller.

    --
    where's all that Karma?
    1. Re:This... by Whiney+Mac+Fanboy · · Score: 4, Funny

      Makes me think that it is still the safest option to have stupid customers do all their banking right at a teller.

      --
      There are shills on slashdot. Apparently, I'm one of them.
    2. Re:This... by Solra+Bizna · · Score: 5, Funny

      Until somebody makes a whole fake bank branch building.

      -:sigma.SB

      --
      WARN
      THERE IS ANOTHER SYSTEM
    3. Re:This... by Hoi+Polloi · · Score: 5, Funny

      Then they can fake accounts, fake investments, fake interest, and...hell, why don't they just open a bank?

      --
      It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
    4. Re:This... by buelba · · Score: 5, Insightful

      The real safe option is only to call the number printed on the back of your credit/debit card. What's amazing is how badly the banks are set up for this. The following happens to me at least twice a year:

      1. I travel for work, and use my credit card for all kinds of things I don't usually buy, like hotel rooms.

      2. My wife keeps using the same card for all the stuff we usually buy.

      3. The computer says: hey, someone maybe stole the card and is running up all those hotel charges!

      4. A human from the security department calls us to verify, gets voicemail, and leaves a callback number that is NOT the callback number on the card.

      5. I call back the number on the card. The human there says, "why don't you call the number they gave you?" I explain. They think about it and realize this makes sense. About 15 minutes later, I'm connected to the right people -- usually after going through a supervisor at the call center.

      The right way to do it, of course, is to have the human from the security department leave this message: To call us back, call the number on your card; then, immediately enter the following code to be directed to the right department. But they still haven't learned.

      I shudder to think what will happen when I'm eventually home when they call. I certainly won't do anything except hang up and call back the same number.

    5. Re:This... by Asphalt · · Score: 4, Insightful
      . I call back the number on the card. The human there says, "why don't you call the number they gave you?" I explain. They think about it and realize this makes sense. About 15 minutes later, I'm connected to the right people -- usually after going through a supervisor at the call center.

      The right way to do it, of course, is to have the human from the security department leave this message: To call us back, call the number on your card; then, immediately enter the following code to be directed to the right department. But they still haven't learned.

      I shudder to think what will happen when I'm eventually home when they call. I certainly won't do anything except hang up and call back the same number.

      I believe you have sufficiently illustrated the problem.

      The banks do use the same methods as phishers, despite their claims to the contrary.

      I also get voicemails from the "bank" asking me to call back, and when I call back I have to "verify my identify" through at least a couple of personal questions and at least part of my social security number. I have no way of knowing whether I have indeed called the bank, or some guy at a payphone.

      It's not so much that the customers are stupid, it's that the banks have trained customers that they must respond to these types of inquiries, or they very well may have their checks/charges declined.

      The banks created the system which is being abused. And they have done little to change their practices.

      It's hard to determine who, exactly, are the stupid ones in this situation.

  2. Ah, but how.. by Squalid05 · · Score: 5, Funny

    ..do they know what bank i use? I've had emails from banks all over the world regarding my "account". The only email i havent got yet is from the bank i actually use!

    --
    To dare, is to do.
    1. Re:Ah, but how.. by GroinWeasel · · Score: 4, Interesting

      I've had phishing emails that were for the right bank: and even had the right address in it (except for the fact taht I moved from the address 2 years ago...)

      Phishers are getting better, and I suspect they have friends within the banks.

    2. Re:Ah, but how.. by corbettw · · Score: 4, Insightful

      I've had phishing emails that were for the right bank: and even had the right address in it (except for the fact taht I moved from the address 2 years ago...)

      Sounds like they ran a credit check on you. All that information is collected by credit reporting agencies (believe it or not, how long you've had an account with one bank, and the average deposits, goes into your credit score...at least, that's my banker told me when I opened my account with her). And I know addresses are kept in credit checks, since the last time I checked mine (last summer) it had addresses going back to 1998. Handy, since around the same time I had to submit all those addresses for my background check when I got my Series 7 and 65.

      Long story short: don't ever give out your SSN to anyone unless you're getting money/credit from them. And minimize how many people you do business with in that regards.

      Wanna know the easiest way to get a list of current addresses and SSNs?* Send out a mailing to 100,000 people in a given city, offering a car loan or something (which of course you have no intention of actually giving them). Statistically, at least 1000 of them will send you their full name, address, SSN, bank account information, even mother's maiden name. And yes, people are that stupid.

      *I don't know if anyone's ever done this, and if it happens after this I specifically disclaim any responsibility for it.

      --
      God invented whiskey so the Irish would not rule the world.
  3. evolving by brenddie · · Score: 4, Interesting

    It seems that phishing is evolving but they are getting forced to use more risky (for the phisher) methods. A phone number feels more physical than a web presence so it should be easier to track besides this has to be breaking some "dont screw around with the phone" federal law.

    --
    The best test environment is production. - Me
    chrome://browser/content/browser.xul
  4. Some revenge possible? by kanweg · · Score: 5, Insightful

    So, what if you enter a random number with random PIN. They have to go thru the trouble to make the card, only to find out it doesn't work. And their face pop up at the video camera's of the ATMs all the time with failed withdrawals.

    Bert

  5. Again the basic rules apply by JoeyB · · Score: 5, Insightful

    No one will ever ask you for your account number or pin. This is not so much a new twist as good old basic social engineering. It stands to reason NEVER to trust any unsolicited form of communication unless you check it out and NOT by calling the number the phisher provides.

  6. For this level of effort... by csoto · · Score: 4, Insightful

    one would think these guys would just seek gainful employment.

    --
    There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
  7. Re:Wow by aussersterne · · Score: 5, Interesting

    In the area where I live there has been a more serious "phone phish" going on. You receive a call from someone and claiming to be a police officer. They say that they're very sorry to have to inform you that your mother/father/son/daughter/sister/bother has been involved in a serious crash and is being flown by emergency helicopter to regional hospital X. So that the hospital is able to treat them the moment it touches down, the officer is trying to complete necessary admittance and insurance paperwork in advance, and what they need from you is your insurance policy number *and* the full name, address, phone, credit card number, and social security number of someone who can be billed in the event that the insurance policy is unwilling to cover the necessary treatment.

    From what I understand, these scammers have been doing pretty well, unfortunately, and as far as I know there are few leads. The public hasn't been told why... maybe they're using convenience store phones and/or pay phones.

    --
    STOP . AMERICA . NOW
  8. Re:speaking of stupid... by tlhIngan · · Score: 4, Interesting

    I mean, arn't they fooling enough people in the status quo? Now, they have to pay people to act like they work for a bank, and have them on call 24/7.
    The same stupid people are going to believe this (why would your bank email you asking you to call them?), so now the phishers will be losing money by paying actors, and not really getting enough extra to cover the cost.

    I think the "Tragedy of the Commons" has struck the spam and phishing world. First, a few spams and you had a high return rate. Now that everyone's inbox is flooded, no one reads them anymore. So people turned to phishing, which made a lot of money. However, people realized that you know, the bank isn't going to send them alerts to *every* email account they have anymore (I get the same phish email in my home account (several copies), and my Gmail account), or as I mentioned in my anecdote, *several* copies. For the past week, Chase Online had a problem *EVERY SINGLE DAY*. The first time, maybe. The Nth time, well, it's obviously a scam.

    Either that, or if one were to answer every phish, there would've been nothing left in the account beyond the first couple of phishers.

    So now that everyone's into the phishing racket, all the low-hanging fruit is gone, since people get suspicious when the bank sends multiple emails on the same problem, or over the course of a week, or different problems with the same bank. It worked wonders when phishes were rare. Now that they happen daily, well.

    Interesting how the Tragedy of the Commons can affect scams as well (which probably included a number of ways spam has evolved over the years).

    But hey, calling a 1-800 number can be quite fun, since they're paying for the call. May be fun to do an automated calling thing that calls, presses random numbers, speaks sloooooooowwwwwwlllllly...

  9. I specialize in this! by AriaStar · · Score: 5, Insightful

    It's a form of online fraud, and I specialize in its prevention. There are two simple things to do to prevent ID/personal info theft like this. Never click a link in an e-mail. I'd say you can hover over the link and you'll see it's masked, forwarded, just plain a different site, etc., but most of the population has no clue how to read those things anyway (though I'm sure most, if not all, of you here know how to). Go directly to the company's page if you have an account with them. If they need you to "verify" info or whatever, the legit site will tell you after you've signed in. Ignore it altogether if you don't have an account with the place supposedly sending it (right now it's very common to receive things from "Chase" asking to fill out a survery and get $20). The second is to call the regular customer service number you can get through 411. An agent via that number can connect you to whoever you need. If the e-mail says to call a certain number to get hold of a certain person, an agent can help you find that person, if he/she exists and is an employee of the company. No legit institution at which you have an account will address you as, "Dear customer," or some other impersonal greeting. Always by your name. It's at the point that I believe that, if someone has their ID stolen, they deserve it. We've all heard time and again not to click on links, and yet 3-7% of people still fall for these things. Yes, the number is that high. Scary, huh?

    --
    It's a girl!