©06 The Media Desk
An old scam with a couple of new twists.
Your phone rings..... this could be at home or at work, or even your cell phone ....the number on the caller ID may be local. It might even have the name of a local store, a well-known catalog outfit or even your credit card company on the display. The person on the other end has your name and address, and your credit card number. They are calling to confirm your identity or a recent purchase. "Could you please confirm the three or four digit security code on the back of your card?"
They may even say they are calling because they were worried about a security breach or fraudulent charges and they want to confirm that you are actually you.
This is 'Vishing'. Voice phishing.
And it is the same crime as the email variety that attempts to harvest your banking or other information for criminal purposes.
The caller has already stolen your name, credit card number, home phone number and may be in the process of ripping you off and probably will anyway, but if they get the 'security code' (CSV code) on the back of your card, it makes their job easier. And they'd really appreciate that.
The old advice still holds:
DO NOT GIVE ANY PERSONAL INFORMATION TO ANYBODY THAT CALLS YOU.
DO NOT CLICK ON ANYTHING IN AN EMAIL. DO NOT REPLY TO THEM EITHER.
IF THEY CALL YOU AND INSIST IT IS FOR REAL. HANG UP. Then call the store or bank back at the number on your statement or receipt or even at the number in the phone book (not on the number on your caller ID). You may be on hold for half an hour, but it is better than getting ripped off.
Now, having said that for the seven hundred forty third time... we'll move on.
How they do it.
First off, the odds are that whoever is calling is NOT in the same town, the same state, or even the same Hemisphere as you.
They are probably calling from the criminal equivalent of a call center or customer service desk and using Voice over Internet Protocol which gives them several advantages.
They can be calling you from anywhere in the world, and program the information displayed on your Caller ID could be anything they want it to be, including an online-retailer or even an actual real store with a parking lot that you used your card at last week.
Many of these calls do originate off-shore. There are several Russian and Chinese criminal outfits (high tech mafia wanna-bes) and a great number of the calls, and emails, originate from Russia and Poland as well as Hong Kong and other Asian locations, but also a large number of them come from Jamaica and Central America. But they can also be calling from New Jersey and program their calls to come from Chicago or right from your hometown.
By spoofing the Caller ID information, which a VoIP call doesn't even have to begin with, and even masking their IP address it is impossible to trace the call back to the originator. Therefore the chances of them getting caught that way are almost non-existent.
Making VoIP calls are for all practical purposes: FREE. Using a broadband connection and a 'soft phone' the criminals can call anybody they want, anywhere they want, for as long as it takes, and not pay a cent for the call. Even better, if they call you on your cellular phone you may be paying for the privilege of being robbed.
How do they get your card number?
Well, all too often, YOU gave it to them.
Yes you did, and here's how.
You used your credit card as a reference when you filled out a 'preferred shopper' application or survey either online or in person.
Maybe you applied for another credit card someplace, like at a kiosk in the mall or even when you were visiting an online retail site.
Or when the waiter took your card for lunch he kept the name and number. (Some make extra money on the side by collecting names and numbers of customers and selling them to 'friends', same for the credit application booths.)
And then there is the old nefarious email phishing gag which a surprising number of people still fall for. "Well, it was from my insurance company...." No it wasn't. They just made it look like it was.
And then there is the even older problem of human incompetence and random acts of stupidity. Like laptops left in taxi cabs, CDs of databases laying out in the open, printouts and receipts dumped un-shredded into the trash or even the accidental (?) publication of lists of customers or patients on websites or sent out attached to a broadcast email. All have happened, we'd like to believe they were unintentional, but with money to be made, or even just a disgruntled employee wanting to embarrass their employer, it's hard to say.
And with business card numbers it can be even easier. Believe it or not, some people answering the phones at businesses sometimes don't think. The crook calls, says they have an order they need to ship but the card number was incomplete or some numbers were transcribed. In other cases a supplier or wholesaler's information may not be as secure as it should be. Remember, the information chain is only as secure as its weakest link. If a trucking company sends out routing information or invoices through unsecured email, the information may be siphoned off or even left on the screen on a public computer at a truck stop.
And all of those preclude actual direct criminal activity designed to break in and steal your information either electronically by hacking databases or by simply ripping off the computer it is stored on.
What can we do?
Besides the obvious of not giving out your information to somebody that calls or emails you. (744 times now)
Do not use your credit card number for ID for access to ANYTHING. Which includes using it to 'prove you are an adult' for access to web activities such as casinos, 'this is not a gambling website' card games, chat rooms or friendship sites and other sites.
Destroy financial documents that you get in the mail or from the bank. That includes the ads you get trying to 'give' you a new 'pre-approved' credit card or home equity loan.
And you can cooperate with law enforcement.
Don't be embarrassed if you end up falling for one of their tricks. Most of the people doing this are professional criminals and they have been at it for years in some cases. They are well trained, with in some cases fantastic resources behind them (in some cases they are even supported by the government where they operate- perhaps by the authorities looking the other way, or in at least a few cases by the government refusing to close them down when they're caught, settling for bribes and 'cost of doing business' fines), and they are patient. If they don't get you today, they'll be back the day after tomorrow, and twice next Sunday.
Yes, some are kids or teenagers or whoever and are just out for a thrill or to see if they can do it... some but not all. And some of those that are doing it for a career use those kids as a front so if somebody gets busted it isn't the real crook.
So if you are taken in by the scam, get together everything you can; emails, the date and time of the phone call, the financial records that show the fraudulent charges and whatever else you have and turn it in to your local high-tech crime or Identity Theft task force.
There are some heavy hitters in the game fighting like Batman against the crooks as well.
Microsoft has filed over a hundred lawsuits worldwide against Phishers going after civil damages. It and other online and software companies have either initiated or cooperated with criminal prosecutions that in one case, landed a Turkish Scammer in a Turkish Prison for Two Turkish Years!
It may be a drop in the bucket, but it's a start.
Other ISPs such as AOL and Earthlink have offices dedicated to tracking them down and bringing them to justice.
The FBI and Interpol have online crime divisions. One of the best out there belongs to the Royal Canadian Mounted Police and they have seen their share of the crooks locked up, their equipment seized and bank accounts frozen.
With eight or nine emails out of TEN now being sent either spam or a scam (or both) it is an serious uphill fight, but those of us who are in it on the side of the good guys are in it to win.
There are even Professionals working to combat the crime: http://www.fraudwatchinternational.com
FraudWatch International Pty Ltd is a privately owned company based in Melbourne, Australia.
FraudWatch International combines education, monitoring and detection services, and preventative software solutions to consumers and corporate clients and currently protects over 100 million Internet users worldwide.
from the "about us" page on the above site
Do not click on links in spam emails.
Do not give out personal information to somebody that calls you.
Do not use credit cards as ID.
DO USE SOME COMMON SENSE when online or out in public!
Links and Resources:
outside links will open in new window
The site www.phishtank.com tracks phish.
www.fraud.org is one of the primary watchdogs of online fraud.
In the US, the FBI has an eye that way with www.ic3.gov
The Royal Canadian Mounted Police's Scam Sheet www.rcmp-grc.gc.ca
A generalized Desk page on Gone Phishing with extensive resource, law enforcement and educational links.
The Desk's main clearinghouse for all things not quite kosher themediadesk.com/files/urban.htm
The Desk's Technical Brief on Voice over Internet Protocol explains more of how it's done.
[NOTE: The Desk Is NOT affiliated with ANYBODY listed above. The Desk is NOT endorsing the FraudWatch service, but it IS endorsing the FBI and RCMP, for what it's worth. Thank you ]The Media Desk's Urban Legend and SPAM Info Page http://www.themediadesk.com/files/urban.htm
Back to the Desk main page at: