14 DAY TRIAL // Phishing is one of the most certain means of acquiring some personal information period. Either the victim doesn't know he/she is visiting a fake secure site or is providing the information via email to somebody asking for it while posing as an official doesn't really matter to the phishers. All that matters is to get the job done, so they have stepped up their game and went ahead to attempt pulling off the same scheme via voice.
Sophos, an IT security and control firm, was noticed about the emails coming from financial institutions that seem official, but are actually very crafty copies of the genuine. A small credit union, Kessler Federal, is the only one to have its customers targeted so far by the attack, but if this proves to be successful in a good number of cases, it might evolve and 'reach' to more.
In their effort to fool the victims, the cyber criminals have stuck very close to the usual text of the email being sent by Kessler and even provided URL links to pages of the official website of the credit union. What they did change was the date and the phone number at the bottom of the email. There's no other way to solve the assumed problem without calling so the fraud would not be suspected. By taking this step, phishers have appealed to the human trust reserve that is boosted when talking over phone instead of email.
The first thing users would hear after dialing is an automated voice assuring that no personal information, such as the Social Security number, will be asked about or disclosed. Immediately afterwards, victims would be asked to input via phone the customer's bank card number and the PIN, exactly what they would need to bleed an account dry.
"By using genuine links in the email, the cyber criminals are making it very hard for recipients to realize this is a phish. What's more, most computer users are now wary of clicking on links and entering their details, so asking customers to call to verify their information further enhances the legitimacy of the email," said Graham Cluley, senior technology consultant at Sophos. "Phishing techniques are constantly evolving as the organizations and customers involved wise up to the old tricks. Plus, it's not just global brands that are being targeted - any size financial organizations is valuable to phishers providing they can make their scams seem legitimate and trick users into handing over their personal details," he concluded.