Phishing Leaves the Internet: PayPal Users Threatened from Phones
In recent months, Internet users have become wary of emails purporting to come from places like PayPal, eBay, and various credit card companies. These emails look very official – featuring the company’s logos, and directing the reader to a website that looks just as legitimate. That’s all in the plan. Once the reader hits the website, they are asked to enter information. This information could be as little as a pin number or as much as addresses and phone numbers or social security information. Once placed, identity thieves have access to your financial life.
As Internet users become more aware of these emails, called phishing (literally, it’s like fishing in more than the way it sounds – the people sending these emails are “fishing” for victims), a new strain of emails have come to the surface. Instead of asking you to click a link, they ask you to call a phone number.
Voice Phishing has arrived.
Voice Phishing Revealed
Sophos, a computer security company, was one of the first to publically warn users of a new phishing email that tries to trick PayPal users. The email appears to come directly from PayPal, claims that the user’s account has been subjected to fradulent activity, and asks the user to call a phone number. Unfortunately, this scheme is successful – so many people are aware of phishing emails asking them to click a link that when they see a phone number instead, they’re more likely to believe what they’re reading.
Users who call the phone number are greeted by an automated voice that warmly greets them with, “Welcome to account verification. Please type your 16-digit card number.”
“Users that type in their card information may think they’re verifying their PayPal account, but in actual fact, they’re handing their details over to cyber criminals on a plate,” said Graham Cluley, senior technology consultant at Sophos. “Though it’s an American telephone number, the fact that PayPal is used globally means that anyone could potentially be tricked into making the call.”
It’s not only PayPal that’s being hit – though their users are going to be highly targeted simply because there’s so many of them. A California bank, Santa Barbara Bank & Trust, has also seen illegitimate emails claiming to come from them.
In both cases – PayPal and the Bank & Trust – spokesmen have stated that their employees will never, under any circumstances, request credit card information. They generally request phone numbers, email addresses, or in some cases the last four digits of a credit card on file.
Protecting Yourself from Voice Phishing
The reason that voice phishing is such a threat is simple: information. Or the lack thereof. After all, you know PayPal’s real url. But do you know their real phone number?
“This scam attempt underlines a real problem for online companies in how they communicate with their customers. Many users are beginning to learn to not click on links in unsolicited emails, and only visit the legitimate websites run by their favourite brands, but how many would know whether a phone number for their website is genuine or not?,” said Graham Cluley. “As hackers get smarter we are likely to see them increasingly not only set up fake websites, but ‘harvest’ messages from corporate switchboard systems to appear even more like the legitimate company.”
Your first step in protecting yourself from voice phishing and fraud is to learn what to look for – and what not to do.
To prevent any type of phishing fraud, Internet users should never click on links or call the phone numbers listed in emails sent to them. Instead, type in the website address in your browser and look for a “contact us” link. You could also reference your credit card statement or look the phone number up in the phone book or the online Yellow Pages.
In terms of what to look for, there are a huge variety of emails which might be sent. In the recent PayPal voice phishing emails, the thieves are using a specific layout that looks exactly like PayPal’s official (and legitimate) emails.
A copy of that email is included with this article as a screenshot. You’ll notice that much of the terms are straight from other PayPal documents, emails, and website policies – although there is a significant difference that not many people recognize right away: PayPal is a U.S. based business, but this email uses the British spelling of the word “apologize” (apologise), and there are several grammatical errors. These aren’t things that you’d notice right away, especially if you’re panicking thinking that you’ve been stolen from, but they are major clues.
Sophos has also released a .wav copy of the phone message callers receive when dialing the fraudulent phone number, which you can listen to here.