Information Security Advisory (ISO § 6.1.2 d,f)

July 20, 2006

To:  All BGSU Faculty, Staff, Students
From:  ITS Information Security & Privacy
Subject: Voice over IP Phishing (Vishing)

Severity:                                 [ Critical ]  |   Important  |   Moderate  |   Low

 

System Information

All users of e-mail, telephones.

Description

Phishing e-mail is used to harvest sensitive information by pretending to be an online merchant or bank. "Vishing" is a phishing e-mail that lists a telephone number for the victim to call instead of an e-mail web link. The information can then be gathered by an automated telephone system with Voice over Internet Protocol (VoIP). There are also reports of automated phone systems that randomly initiate contact and refer victims to 800 numbers to gather sensitive information via the telephone.

Impact

Unfortunately VoIP caller ID information can be easily spoofed to appear legitimate. It is also trivial to spoof a known prefix of an existing bank or merchant. There are reports of vishers that use the same telephone voices of legitimate automated phone systems to assist with the deception.

Solution(s)

            Vigilance is necessary. No known preventive technology currently exists.

More...

Vishing Joins Phishing as Security Threat - Internetnews.com 7/11/2006
'Image Spam' and VoIP Scam Attacks on Rise - TechNewsWorld.com 7/15/2006
New VoIP Based Phishing Scam - Government Technology 7/18/2006
Scam artist using new technology - The Lomoc Record 7/19/2006