In a natural evolution of phishing, Internet scamsters are switching to “Vishing” — short for “voice phishing” in order to steal user information. Vishing combines the use of Voice over IP (VoIP) phones along with clever social engineering to gain access to personal and financial details of the victim by exploiting the perceived trust in traditional telephone services.

With increased user education about Internet scams, people are more aware of the fact that an e-mail containing a URL could be malicious in nature. Instead of using a misdirected Web link to some phony banking sites to steal user information, fraudsters are luring victims to something more credible like calling a toll free number and having an automated recording asking for account information.

Potential victims would get the usual convincing e-mail phish conjured to look like a genuine complaint. But instead of being directed to a website to resolve the pending issue, they are given a phone number to call. Those who call the “customer service” number are greeted with a pirated recording of an automated voice system for the targeted financial institution and are requested to enter their card number in order to authenticate. They are then led through a series of voice-prompted menus that ask for PIN codes, card expiration date, date of birth and other critical information. Once the victim enters these details, the visher has enough information to use it for identity theft and make fraudulent use of the information.

With the US tax deadline nearing, McAfee Avert Labs has observed a surge in IRS refund phishing attempts. In addition to the usual e-mail phish we also observed IRS vishing campaigns targeting VISA or MasterCard debit cards.

Here’s another example of a vish campaign targeting a well known bank.

Other variants of vishing use CallerID to spoof an incoming call to appear as an 1-800 number or SMS messages purporting to be from a bank. A text or pre-recorded voice message is then played out, persuading the victim into believing that their account has been frozen due to suspicious activity. As the incoming call would display a 1-800 number from a recognized institution, it creates a false sense of security about the authenticity of the message.

Vishing is all set to flourish with advancements in Voice over Internet Protocol (VoIP) technology that enables cheap and anonymous Internet calling. Given the ease with which CallerID boxes can be tricked into displaying erroneous information, it is becoming increasingly difficult to distinguish phishing attempts from genuine attempts to contact customers.

If you encounter a vishing attempt and have a question concerning your account or card, please contact the financial institution only using a telephone number obtained from your account statement, a telephone book or other verifiable, genuine correspondence.