Back in April, fellow blogger Matt was theorizing about a new type of phishing where the phish used a phone system to obtain your information rather than stealing it through a website. Well, it looks like that theory has become reality.
Recently a phishing email was detected that didn’t ask you to view a certain spoofed website, rather, it asked you to call Chase Bank at a phone number and input your information through their system. Problem is, it isn’t Chase. The phone number in the email was actually controled by the phishers as was the automated touch-tone system that requested your SSN, Account Number, etc.
Here is a copy of the email phish:
Dear Customer, We’ve noticed that you experienced trouble logging into Chase Online Banking. After three unsuccessful attempts to access your account, your Chase Online Profile has been locked. This has been done to secure your accounts and to protect your private information. Chase is committed to make sure that your online transactions are secure. To verify your account and your identity please call our Account Maintenance Department at *(888) 555-3406* 24 hours / 7 days a week.
Online Customer Service
In Corporate IT security, there is a lot of talk about end-user education — in effect, teaching the employees how to be safe and secure with corporate data. I think this phone phishing example is a case where end-user education is one of the only options. In this case, how do you know who you are calling and how can you confirm it? The 6.5 version of ZoneAlarm goes a long way to protecting you in the offline realm, but I can’t see how any software, credit opt-out, monitoring or detection can protect someone from picking up the phone and dialing a phony number — end-user education and caution may be the only option in this case.
Maybe the best suggestion is to use caution and refer to the company’s website to call their officially listed
phone number to avoid falling victim in cases like this.