Beware the 'vishing' well: phone gangs have your number

The new hi-tech fraud targets those who make internet calls

When one door closes, another one opens - or at least that's the way it seems for the fraudsters in our midst.

Just as the banks start to get a grip on the cloning of credit cards - by protecting customers with chip and pin - computer-literate conmen have found another rich seam to mine: internet telephony.

It appears criminals are now targeting the users of Voiceover Internet Protocol (VoIP), the technology that allows free phone calls on the web. Their hi-tech crime is known as "vishing" - a variation on the "phishing" scam, in which people are duped into divulging their bank details by emails claiming to be from their bank. In this case, however, the victims are pursued through VoIP.

"While internet users have been educated to recognise and delete phishing emails, VoIP users are more likely to be trapped by so-called vishing messages simply because they are not aware of this problem," warns Dave Axam, spokesman for future voice products at BT.

With VoIP, as long as customers are with the same provider, they can call one another over the internet for nothing - even if they are on the other side of the world and provided they can get a broadband connection on their computers. Phone calls from computers to landlines via VoIP are also available at much cheaper rates than ordinary landline calls.

More than half a million "early adopters" are already making the most of VoIP in the UK, but as mainstream companies start to offer the technology - Tesco is now in the market, alongside established players such as Skype and Vonage - its popularity is set to grow still further. Up to three million people are expected to be regular users within a couple of years.

But partly because the technology is so new, fraudsters are finding it easy to target customers.

"VoIP users may never have heard of vishing," explains Kim Gilmour, senior researcher for Computing Which?, the technology arm of the consumer body. "When they get a call over VoIP claiming to be from their bank, they can be easily fooled."

There are two main ways in which criminals are attacking VoIP users.

The first is to send a phone message or email, ostensibly from the person's bank, via their VoIP phone. The message claims that the victim's credit card has been used illegally and gives a phone number for them to call to verify bank details.

"It's the phone number that will trick many people into calling back," says Mr Axam at BT. "VoIP has the capability of assigning a geographic number to any area, so you could be in another town or country but have an 0207 number, which seems to indicate that you are in London."

This is known as a "spoof" number.

"People see the number, think the call has come from their bank, and call up," Mr Axam continues. "They are then linked to an automated voice response, which asks them to confirm their banking details. This is where the data that can be used by criminals is captured; people answer the questions without thinking."

The other way in which criminals are using VoIP involves software called a "war dialler", which can enable a hacker to make large numbers of calls at the same time. Any calls that are answered by VoIP users link directly to an automated voice response, which once again asks for bank details.

Just as unwanted emails are known as spam, these unwanted phone messages are termed "spit".

Although companies providing VoIP in the UK say they have not yet been alerted by their customers to any vishing attacks, they are aware of the problem.

"Some of the bulletin boards have been discussing it recently, so it is obviously something that we have to watch out for," says Mr Axam.

And there are concerns that as VoIP enters the mainstream, fraudsters will bombard users with these messages because it can be done at no cost. Some providers block outgoing caller IDs on their VoIP communications, which means users cannot be "spoofed" by rogue messages. Babble and Skype are two that currently do this; with other providers, there is no way of knowing if an incoming call is from a legitimate source. Companies are also developing spit filters, which will work in the same way as email spam filters.

As a VoIP user, there are some simple steps you can take to protect yourself. Most of the advice is common sense and very much along the lines of that given to combat phishing.

If you get a call from a number or caller ID you don't recognise, then let it go to your voicemail. This way, you can give yourself time to think about whether you want to respond to it.

Just as you would refuse to disclose personal information in response to an unsolicited email from your bank, you should not respond to a similar request made in an unsolicited phone call. Any call asking for your credit card or bank account number or your passwords could be bogus; you should never reveal your banking details unless you can be absolutely certain who you are revealing them to.

The best action is to end the call and phone your bank on the official number on the back of your credit card or bank statement. Report any attempts at vishing to your bank, and also inform your VoIP provider.