Recently, I received an email from a favorite online store of mine, warning me that my order is on hold and that I need to call American Express to authenticate and validate the charge. In the email I was provided a phone number and a case number. It was presumably for a real order I had placed — so I called.
Then things got real weird. Once I phoned the provided number, I was greeted with an automated touch-tone system asking me to key in my credit card number. It sounded fake. When I call American Express, I expect their automated phone tree systems to use professional voice talent and not the customer service manager’s voice (not that it was — I don’t know). Now, being the paranoid guy I am, I didn’t enter my credit card number as requested. Instead, I hit 0 or # or whatever to get to a real operator. After a few minutes of speaking to the fraud prevention representative, the charge was approved and the retailer notified.
Now I do like the fact that American Express flags potential fraudulent transactions. And I do like that my retailer immediately notified me that the order was on hold. But I think they go about it all wrong and that it’s just a big phishing scam waiting to happen.
Imagine this: an email lands in your inbox saying that a recent purchase at Amazon.com has been put on hold for approval by your credit card company. Like the email I received, you are provided with a phone number and case number. You call this phone number and when prompted you enter in your credit card number, expiration, and CV2 code. You then enter in the case number. Finally, the automated system asks you to approve or disapprove the charge in question for the case number you provided. Since you had recently made an Amazon.com purchase, you say yes. You hang up thinking all is well and good.
Here’s what really happened: some clever person in a far-off country has signed up for an 800 number VoIP service. They’ve got their VoIP service set up to terminate on an Asterisk box they have at their house or ISP or wherever. They’ve also gone through the trouble of setting up an automated voice prompting script that asks callers to key in their credit card number, CV2, and expiration date. In other words, they’ve created a "spoof" automated fraud prevention system much like American Express currently uses. Too expensive to pull off, you might think? Not if you consider that VoIP is dirt cheap, and Asterisk is free. I can’t imagine it would be too hard to obtain VoIP service using a stolen credit card, either. The last part of the equation is spamming the world with a fake "fraud alert" email purporting to be from a major retailer like Amazon (much like the legit one I received). The likelihood that this phishing email will arrive in the mailbox of someone who has recently bought something at Amazon is quite high. I’m sure there are a handful of other vendors that have significant online sales volume, too — they would certainly be just as vulnerable to this sort of phishing attack.
The point of this blog post, though, is not to spell out some great new way for hackers to rip off more unsuspecting people. Rather, this whole experience stopped to make me think about just how massive a problem phishing could turn into. I no longer think of phishing as just some dumb email trick that tries to fool me into going to a (usually) fake-looking web site. I fully expect next generation attacks to incorporate "offline" methods for scamming card numbers out of unsuspecting consumers. While black listing or flagging phishing web sites is one small step towards solving the problem, I believe the real solution is stopping the email scams from ever arriving.
If anything, this is just another sign that the Internet email system is in need of an overhaul. In our current legacy email system, there’s no "built-in" way to know that some email is really who it says it is from. And until a sender verification method like Sender Policy Framework (SPF) is adopted, Internet users will continue to receive progressively more sophisticated phish emails.
In the meantime, what can you do?
- Do not click links in emails from ecommerce sites. Directly type the URL into your browser’s address bar.
- Do not give out personal information to people who call you. This is an illegal practice the Federal Trade Commission calls "pretexting."
- Only give out information to phone representatives that you have telephoned, using phone numbers from official sources (such as the website that you typed in or correspondence that you know is official). The Department of Justice has more information about telemarketing fraud.