Vishing Attacks Target Regional Banks and Credit Unions

According to security researchers from Cisco, vishing attacks are increasingly more common and complex. Recent incidents involve fake mass alerts sent via SMS, which instruct residents of certain areas to call a rogue 800 number and provide their financial information.

One of the highlights of Cisco's 2009 Midyear Security Report, which is to be released today, is that, "Criminals are targeting people who use online banking with well-designed, localized text message scams—and they're leaving virtually no trail."

This refers to recent attacks that combine "vishing," phishing performed over the phone, with "smishing," phishing via SMS messages. The trick starts with an SMS message warning of unusual account activity being sent to large groups of people. The alert instructs receivers to call a phone number in order to solve the alleged problem.

An interesting aspect of these schemes is localization, the messages masquerading as alerts from regional banks and credit unions. This technique increases the chances that targeted individuals are actually customers of those institutions.

Another element adding credibility to the attacks is the use of a toll-free 800 number, similar to what a bank would actually use. Calling this number will generally play a recorded message that asks victims to type their credit card and PIN numbers, allegedly to verify their identity.

As with all phishing scams, the most immediate prevention mechanism involves raising public awareness, however, that can be hard to do for small banks with similarly small IT departments. Furthermore, this new threat abuses one of the common pieces of advice that security experts give when they deal with phishing – checking information received via e-mail with the bank over the phone.

"One tipoff that a text message is a smishing attempt is the 'From' line displays a few digits, like '1000' instead of a traceable, 10-digit phone number," Wescom Credit Union, one of the institutions recently targeted, advises.

Pat Peterson, a security researcher at Cisco, explains that these attacks are becoming a serious problem, with banks all across the U.S. being attacked. "It's working pretty well for them [phishers]. It's a pretty innovative technique," he comments, according to Network World.

FBI's Internet Crime Complaint Center (IC3) issued a warning about vishing scams back in December 2008, but the U.S. is not the only affected country. We recently reported about a similar scheme targeting customers of the Commonwealth Bank in Australia. The lure in that attack consisted of cashback bonuses waiting to be redeemed.