The Anatomy of a Vishing Scam

A series of well-orchestrated wireless phone-based phishing attacks against several financial institutions last week illustrates how scam artists are growing more adept at fleecing consumers by exploiting security holes in seemingly unrelated Internet technologies.

The scams in this case took the form of a type of phishing known as "vishing," wherein cell-phone users receive a text message warning that their bank account has been closed due to suspicious activity, and that they need to call a provided phone number to reactivate the account. Victims who called the number reached an automated voice mail box that prompted callers to key in their credit card number, expiration date and PIN to verify their information (the voice mail systems involved in these sorts of scams usually are run off of free or low-cost Internet-based phone networks that are difficult to trace and shut down).

According to Lawrence Baldwin, the security forensics professional who was called in to help investigate, the attacks went down like this: The scammers targeted customers of multiple financial institutions, sending the text message lures solely to mobile numbers assigned to customers who lived in the geographic regions served by the individual institutions. For example, one scam targeting Motorola Employees Credit Union was sent only to Cingular mobile numbers assigned to consumers in the Schaumburg, Ill., area, where Motorola is headquartered. Yet another vishing attack sought Qwest customers in the Boulder region who may have belonged to the Boulder Valley Credit Union.