Phishing leverages VoIP in new scam model

Small businesses and consumers aren't the only ones enjoying the cost savings of switching to VoIP. According to messaging-security company Cloudmark, phishers have begun using the technology to steal personal and financial information over the phone.

Earlier this month, Cloudmark trapped an e-mail phishing attack in its security filters that appeared to come from a small bank in a big city and directed recipients to verify their account information by dialing the included number. (The Cloudmark user who received the e-mail and alerted the company knew it was a phishing scam, because he's not a customer at this bank.)

Usually phishing scams are e-mails that direct unwitting recipients to a Web site to capture their personal or financial information. But because much of the public is learning not to visit these Web sites, phishers believe asking recipients to dial a phone number instead is novel enough that people will do it, says Adam O'Donnell, senior research scientist at Cloudmark.

That's where VoIP comes in. By acquiring a VoIP account, associating it to a phone number and backing it up with an interactive voice recognition system and free PBX software running on an inexpensive PC, phishers can build phone systems that appear as elaborate as those used by banks, O'Donnell says. "They're leveraging the same economies that make VoIP attractive for small businesses," he says.

Cloudmark has no proof that the phisher in this example was using a VoIP system, but O'Donnell says it's the only way that staging such an attack could make economic sense for the phisher.

The company expects to see more of this new form of phishing. Once a phished e-mail with a phone number is identified, Cloudmark's security network can filter inbound e-mails and block those that contain the number, O'Donnell says.