What is Phone Phishing?

Phishing is a type of scam most closely associated with email, but also carried out through other media. In a phishing scam, the scammer tries to entice the target into revealing important information, often in the form of a credit card number, a Social Security number, a bank account number, and/or a user name and password combination. In an email or website phishing attack, the target is led by graphics and text to believe that a legitimate authority is seeking information and the goal is to have the target click a link, enter information and/or download malware. Phone phishing — which was around prior to email under a different name — is one type of phishing scam, and one that — according to experts — has been on the increase since computer users have become educated about email phishing.

Phone phishing is based mainly on acting. The caller, representing himself or herself as a representative of a financial institution most often, tries to convince the target that he or she may have suffered a security breach and he or she must provide account details over the phone in order for the financial institution to ascertain whether this has happened. Alternate methods to lend veracity to their claim include using an automated message, or a call requesting that the target go to a website and enter the information impersonally, rather than tell it to the caller, but using a spoof website address.

Another added trick used in phone phishing is Caller ID spoofing. Caller ID spoofing is the substitution of an alternate Caller ID for the actual phone number from which the caller is placing the call. This can be done for legitimate purposes, such as law enforcement, but is also a way to set the concerns of a target at rest. One can place a call through a website from anywhere in the world and appear to be calling from a financial institution around the corner from the target. The Truth in Caller ID Act of 2010, which by May 2010 had passed the House of Representatives but not yet passed the Senate, would make Caller ID spoofing a crime with some particular exceptions including use by law enforcement and the ability to block one’s own caller ID.

There are some simple steps to avoiding being entrapped by phone phishing. Recall that legitimate businesses will never ask for account information over the phone. Test the veracity of any request for information by calling the organization that any suspicious phone call seems to come using a phone number from published information, such as a billing statement or an account balance record, that you know to be accurate.