By Mark Ward
Technology correspondent, BBC News website
Malicious hackers are turning to net phone systems in a bid to trick people into handing over personal details.
The conmen aim to catch vulnerable members of society
Security firms have identified several scams in which net phone systems are harnessed to try to catch out potential victims.
In one con people are called about supposed fraudulent activity on their credit card.
So far few people have been caught out but security firms expect the number of scams to grow.
Many hi-tech criminals currently use e-mail as the sole method of delivering spam, as well as viruses and phishing messages - in which an e-mail and/or website purports to be that of a bank or financial institution.
Others are harnessing newer technologies to find and catch out fresh victims.
Some criminals are now using net phone systems in a bid to make their come-ons look more legitimate and convince people to hand over useful details such as credit card numbers, bank account details or personal information.
The scam has been dubbed "vishing" because, like phishing, its practitioners pose as banks and other financial institutions but use Voice over IP (Voip) technology.
One recent con spotted by security firm WebSense put an 0800 number in an e-mail message spammed out to users asking them to call and update their bank details.
On calling the number users hear a recorded voice asking them to enter their account number using the phone's touch pad.
Anti-virus firm Sophos has also come across a combined e-mail and phone scam aimed at net payments service PayPal which also asks people to phone to update or confirm their account information.
Secure Computing has found a more sophisticated scam that avoids e-mail altogether. Instead the criminals behind this scam have programmed computers to dial a long list of phone numbers and play a recorded message to anyone that answers.
Experts predict an arms race in voip security
The recorded message warns that a person's credit card has been used fraudulently and asks them to enter their card number. Significantly, those responding are also asked for the security number found on the rear of the card.
The scam is lent legitimacy because net phone technology makes it easy to fake the number someone is calling from.
Paul Henry, a spokesman for Secure Computing, said the scam might succeed because although people were suspicious of e-mail few would suspect a phone call about a credit card problem.
"Common sense is the first line of protection," said Mr Henry. "Anyone who is called by a bank should take the appropriate steps to protect their personal information and their bank account."
Mr Henry said if a bank or credit card company rang a customer it would have knowledge of some personal details about who it was calling. He urged people to be suspicious of any call that is ignorant of these basic personal details such as first and last name. Anyone receiving such a call should report it to their bank, he said.
Alan Nunn, chief technology officer of Newport Networks which sells Voip technology, said in its early days phishing succeeded because people did not know about its dangers.
"We've fixed that partially through educating users," he said, adding that the same needed to be done with the new scams.
But, he added, net firms would increasingly have to take some trouble inside their own networks to tackle security problems.
Many net service firms already use a blacklist of internet addresses known to be senders of spam. Similar lists could be circulated of places hosting vishing scams so any call from them is blocked before it reaches a user.
But, admitted Mr Nunn, just as with anti-virus firms and virus writers an "arms race" was likely to develop between the firms trying to stop the scams proliferating and those trying to harvest new victims.
"I suspect the criminals are in the experimentation phase at the moment," said Mr Nunn, "But I also suspect there's real fraud going on out there too."
Have you been the victim of vishing? Are you worried about net security?
I had a call on my work mobile last week saying that my mobile number had been stolen and that I had to verify my details. I hung up after a while and asked IT to check with the phone company if there was a problem - there wasn't.
M Balfe, Bourne End, Bucks
Computers are just new means to perform old crimes. The UK needs a serious review of its Computer Crime Laws, maybe this is one thing we can look up to the USA for.
M Steer, Wolverhampton
I work for a bank's call centre, and when we call up a customer, we will only ever ask for personal security questions - never any card or account details. Why need them? We already have that information!
Having said that, it is fine when people offer to call us back or want us to quote a password when we contact them. It is no bother to us and makes the customer feel more secure.
P John, Manchester
It's all very well educating people who use the net, but what are we doing to educate people who don't? If an elderly lady like my Gran got a call from someone who said it was her bank, she wouldn't think twice about it. She's not sitting online reading these articles, so sure we are educating people but the most vulnerable people still remain vulnerable.
I hate hearing about the people that have been conned out of their details, but I also feel angry at them for not knowing and falling for the scam. More needs to be done by the media to highlight the dangers of cold calling, spam and this new "vishing" technique. If someone like the BBC made a huge effort to highlight these dangers then maybe the scammers would find it harder and harder to win.
Graeme Simpson, Alfreton,UK
I agree with Rachel Paige and Nick Riley; the banks need to stop telephoning us and asking for personal information.
P Edwards, Edinburgh, Scotland
Banks are only interested in credit card security to the extent that it does not interfere with the convenience of using a credit card. Fraud is just an operational expense - the cost is included in the charges.
It has been widely known for a long time that call-loggers on company switchboards can record every key-stroke, yet users are asked to key in their credit card number.
I receive my PIN number through the post under a tamper-proof peel-off label. So far I have received the same number three times in this way, completely defeating the security feature.
The main purpose of Chip and PIN is to shift resposibility for fraud from the bank to the retailer, reducing fraud is only incidental.
Alan Barnard, Bradford UK
I think it's obvious that criminals will make use of every possible avenue they can to carry on being criminals. Why the surprise? Plus, do we really need to create a new word for every different strain of cybercrime? Vishing? For gods sake, why not pat the criminals on the back and say "hey you keep this up, Oxford english will add you to next years dictionary, and then we can all be proud of you!"
David Pye, Lowestoft, UK
It does not help that banks will cold call and ask for personal details, either (1) as part of a marketing campaign or (2) to verify transactions. In both cases the bank will ask for personal details to "verify that it is talking to the right person". These are genuine calls as I find by always refusing to give details and calling back. Banks should stop doing this - it is obvious to me, why not them?
Rachel Paige, London
I occasionally get calls from my bank, they always expect me to verify who I am before they can talk to me - but they dont have anything in place to help me verify who they are! A passphrase or sentance read to me would be enough. Banks need to improve their own security models as they arent helping this problem.
Nick Riley, Stafford, UK
I am a highly suspicious person by nature. However, I was recently telephoned to top up a loan I had arranged about a year ago. The person on the phone had some of my personal details and asked for more to confirm my identity. I provided the details and thankfully it was a genuine call from my bank. With hindsight I realise that my name and the details of the loan could have been easily obtained and I could have been caught out simply by a convincing telephone manner and easily obtained information. I agree people have been educated to be suspicious of e-mail spam but most assume telephone calls to be legitimate.
Very simply NEVER respond to a cold call - even if you think it probably is genuinely from your bank. If my bank ever phones me I always refuse to go through the security questions and offer to phone them back on a number I know. They always understand my concerns and it's never been a problem to them.
Unfortunately educating users seems to be the only effective solution to preventing these abuses. The internet represents new opportunitiies to commit old crimes and a lack of foresight, formal legal regulation and built in consumer protection heightens the effects.
It is a shame that companies need to have these activities pointed out to them before they take any action against it. Due to a difficult atmosphere surrounding global (legal) regulation of the Internet it must fall to providers of the technology, and not the content, to make the first move. Whilst I sympathise with their plight I empathise more with older people who grew up without these technologies and simply don't understand the risks.
B Macdonald, London