New phishing scam model leverages VoIP

Network World - Small businesses and consumers aren't the only ones enjoying the cost savings of switching to voice over IP (VoIP). According to messaging security company Cloudmark Inc., phishers have begun using the technology to help them steal personal and financial information over the phone.

Earlier this month, San Francisco-based Cloudmark trapped an e-mailed phishing attack in its security filters that appeared to come from a small bank in a big city and directed recipients to verify their account information by dialing a certain phone number. The Cloudmark user who received the e-mail and alerted the company knew it was a phishing scam because he's not a customer of this bank.

Usually phishing scams are e-mail messages that direct unwitting recipients to a Web site where they're tricked into giving up their personal or financial information. But because much of the public is learning not to visit the Web sites these messages try to direct them to, phishers believe asking recipients to dial a phone number instead is novel enough that people will do it, says Adam O'Donnell, senior research scientist at Cloudmark.

And that's where VoIP comes in. By simply acquiring a VoIP account, associating it with a phone number and backing it up with an interactive voice-recognition system and free PBX software running on a cheap PC, phishers can build phone systems that appear as elaborate as those used by banks, O'Donnell says. "They're leveraging the same economies that make VoIP attractive for small businesses," he says.

Cloudmark has no proof that the phishing e-mail it snagged was using a VoIP system, but O'Donnell says it's the only way that staging such an attack could make economic sense for the phisher.

The company expects to see more of this new form of phishing. Once a phished e-mail with a phone number is identified, Cloudmark's security network can filter inbound e-mail messages and block those that contain the number, says O'Donnell.