Fraudsters use bogus calls to solicit information

Criminals are increasingly using fraudulent phone calls to commit ID theft.

This is according to Trusteer, a provider of secure Web access services, which warns that people need to be on their guard while online and offline.

The company says fraudsters use personal information that was stolen with malware to give them credibility. It says an example of this is bogus 'bank' calls.

“The phenomenon of stealing data using one channel such as the Web, and using it in a different channel or context such as social engineering attacks, is often overlooked,” said Amit Klein, CTO of Trusteer.

According to Klein, the company found that data collected by Man in the Browser (MitB) attacks can be used for other attacks. He adds that defending against these new “hybrid” attacks “requires both technology to detect MitB malware and vigilance from the users of online services”.

Traditionally, malware fraudsters identify a targeted bank and then learn how the bank's online service functions. With this knowledge, a fraudulent scheme is designed, and the corresponding malware attack is configured, he says.

He points out that the data collected this way is often insufficient to commit fraud. In these cases, fraudsters can use bogus calls to obtain the missing data.

“While everyone's attention is focused on protecting themselves in the 'virtual' world, they're still very much at risk back here in the 'real' world,” says Klein. He adds that it is actually easier to commit social engineering attacks over the phone than many realise.

Trusteer offers the following advice: Consumers should use up-to-date anti-malware solutions, especially solutions recommended by their banks. They should treat all unsolicited phone calls with caution, irrespective of any validation information the caller may offer. Finally, consumers should use contact numbers provided by the bank, not the caller, to verify the authenticity of the contact.