Credit Card Vishing Attacks On the Rise
By Eva Norlyk Smith, Ph.D.
May 22, 2009
Credit card fraud is rampant these days. Every day it seems like fraudsters come up with new approaches to get their hands on your credit card number. Stealing wallets with credit cards is way too last century; these days, fraudsters have much more elegant ways to relieve you of your credit card information.
Unbeknownst to you, while you pump gas, your credit card information may be skimmed off by a small device attached to the gas pumps. Store clerks or restaurant cashiers similarly can use a small handheld device to download your credit card information off the magnetic strip on your card. Dumpster divers can dig up old receipts or credit card statements; and then, of course, there are those fraudulent phishing e-mails trying to install spyware on your computer or deceive you into divulging sensitive information.
One of the newest scams is a so-called vishing attack, which is often used in combination with credit card skimming or phishing emails. Short for voice phishing, vishing scams use Voice over Internet Protocol (VoIP) phones to trick people to give out their personal information. According to the FBI’s Internet Crime Complaint Center (IC3), the vishing attacks are increasing at “an alarming rate.”
In a recent scam targeting Visa and MasterCard holders, fraudsters call victims whose credit card number they already have. The scammer explains that the cardholder’s account has been flagged for fraudulent activity, and alarms the cardholder by making reference to a bogus charge from an unknown company. The scammer then promises to take care of the issue, but explains that he first needs to verify that the cardholder is still in possession of the card. He then asks the cardholder for important card details that are not skimmed off with the credit card information, such as the person’s address and the 3-digit security code on the back of the card.
Also known as CVC2 codes, the 3-digit security codes imprinted on the signature panel of MasterCard and Visa credit cards serve an important security purpose. They are not encoded in the magnetic stripe of the card, and therefore not picked up by card skimming devices or by scammers who get their hands on a copy of your credit card statement. The CVC2 code is required for most credit card transactions where the physical card is not present, so the security code is vital for fraudsters to use the credit card.
In other instances, fraudsters use a two-prong approach, combining phishing with vishing. They send out a blast phishing e-mail, disguised to appear as if it’s from a well-known financial institution, on-line payment service, or auction service like eBay. The email reports a “security” problem with the account and asks receivers to call a telephone number to update and verify their account. When victims call the number, typically an automated voice prompts them to enter sensitive information, like their credit card account number, passwords, PIN number, credit card expiration date, or other personal information for the purposes of “account verification.” In some cases, the phone may even be answered by an “employee” who asks them for certain account details to “verify” that they are the account holder.
Vishing is an instance of so-called “social engineering” crime. It exploits people’s trust in authorities and in landline telephone services, which, unlike email, are not typically compromised. Add to that the scare tactics used to trick cardholders into believing that their credit card is being used for fraudulent charges, and it’s no wonder that many people get hooked.
What can you do to protect yourself? Like in the case of credit card fraud from phishing emails, knowing what to look for is half the battle. Here are four steps to avoid falling victim to vishing attacks:
- Be just as suspicious of phone calls as you are of emails, even if they appear to come from your credit card company.
- Don’t ever get scared or intimidated to give out personal information like your credit card number, bank account information on the phone.
- If you receive a phone call that’s even the least bit suspicious, hang up. Then contact your bank or credit card company directly to verify the validity of the phone call and report the matter.
- Don’t trust a phone number just because it displays your local area code or the number of your financial institution. VoIP enables thieves to create false caller IDs, which make them look like calls from a legitimate company.
If you suspect you have received a vishing call, help fight credit card vishing by filing a complaint at the FBI’s Internet Complaint Center.