Small businesses and consumers aren't the only ones enjoying the cost savings of switching to VoIP; according to messaging security company Cloudmark, phishers have begun using the technology to help them steal personal and financial information over the phone.
Earlier this month, Cloudmark trapped an e-mailed phishing attack in its security filters that appeared to come from a small bank in a big city and directed recipients to verify their account information by dialing the included number (the Cloudmark user who received the e-mail and alerted the company knew it was a phishing scam because he's not a customer at this bank).
Usually phishing scams are e-mail messages that direct unwitting recipients to a Web site to capture their personal or financial information. But because much of the public is learning not to visit the Web sites these messages try to direct them to, phishers believe asking recipients to dial a phone number instead is novel enough that people will do it, says Adam O'Donnell, senior research scientist at Cloudmark.
And that's where VoIP comes in. By simply acquiring a VoIP account, associating it with a phone number and backing it up with an interactive voice recognition system and free PBX software running on a cheap PC, phishers can build phone systems that appear as elaborate as those used by banks, O'Donnell says. "They're leveraging the same economies that make VoIP attractive for small businesses," he says.
Cloudmark has no proof that in this example the phisher was using a VoIP system, but O'Donnell says it's the only way that staging such an attack could make economic sense for the phisher.
The company expects to see more of this new form of phishing. Once a phished e-mail with a phone number is identified, Cloudmark's security network can filter inbound e-mail messages and block those that contain the number, says O'Donnell.