Voice phishing – Vishing, for short – has been around for a long time and is all about using the phone and social engineering to grab the information required.

It isn’t easy to trace or shut down, and the consequences can be devastating [1], [2].

Vishing can start with an email or a text but the ultimate goal is to get you on the other end of a telephone line. From there, the scammers will go about harvesting your data by pretending to be your bank and asking for card

With that in mind, here’s a couple of messages I received today on my mobile:

“HSBC CREDIT CARD SECURITY:

Our monitoring system has detected unusual transaction on your credit card. Please call our 24-hour customer service hotline at [snip] for verification. For your security we have placed your card on temporary hold while awaiting your confirmation.”

Another one, sent shortly after the first:

“Telephone [snip] for verification. For your security we have placed your card on temporary hold while awaiting your confirmation.”

This was news to me, because I don’t have a HSBC credit card. I tried the number but it didn’t work; however, a quick dig around social networks and I found a few more examples. We called one US number seen on a Tumblr post, which was attached to the following message:

“VISA ALERT: Your debit / credit card has been temporarily disabled. Please call VISA 24hr reactivation line”

After a short wait, we were put through to an automated message which directed us to enter various pieces of information via the keys. Here’s how it went down:

“Thank you for calling visa card services 24 hour card acitivation service

If you’ve received a text message alert telling you your card has been deactivated, please press 1. To continue, press 0″

Pressing zero simply looped me back to the beginning – all you can do here is press 1 to get to the next part.

“Valued customer, due to a recent banking software upgrade reactivation is required. To reactivate, press 1.

Enter your sixteen digit card number.

Enter your card expiry date – month / year.

Enter the three digit code on the back of the card.

Enter your PIN number.”

At this point, the call simply fell silent – I’m not sure if there was supposed to be anything after that or they already had what they needed and thought eh, whatever. As with most scams, there are some steps you can take to avoid falling victim to these convincing honeypots:

1) Not sure about that text you just received? Give the bank a call. Most (if not all) banks are very vocal about the fact that they won’t solicit personal information from you. Quite often, these fake messages are fired out to the masses at random and cards needing to be reactivated are the subject matter of choice. Nobody wants a card they can’t use, and they’re hoping people would rather just phone the supplied number than hunt around on their banking website to find the dedicated fraud team line.

2) Many banks WILL give you an automated call if they think your card has been used fraudulently, but they’ll typically use an automated system to list the most recent purchases and ask you if you recognise them. As with 1), if you’re still not sure then call the bank fraud department and confirm anything you’re not sure about. As long as you’re passing on the information via a call you yourself initiated, you’re in a much safer position than dialing random numbers sending texts to your mobile device.

3) On a similar note, some banks will send texts to your registered mobile but will cite specific purchases and ask you if the transaction is legitimate or not. As with the above pointers, you can choose to phone up and confirm what you’re seeing is real.

4) If a recorded message asks you to login on a specific URL with usernames and passwords, it’s quite possible they’re turning a Vish into a more traditional Phish and you should not go any further with the call. Your bank should never ask for passwords over the phone, or send you to websites to login. Always type in the URL you use for your banking yourself.

It’s important to remember there are many ways to fall foul of a telephone scam than “just” Vishing, and you can take a look at some more examples in a roundup by the FTC. Stay safe and don’t get caught in a Visherman’s net…

Christopher Boyd