Fraudster using phone numbers to receive authentication details

The Bank of Lancaster County is currently being targeted by a phishing attack that does away with the traditional web-based phishing forms. Instead, victims are asked to phone a toll free number to reactivate their card.

The scam is initiated by sending out phishing emails purporting that the victim's VISA card has been deactivated, stating that it may have been used in illegal activities. Rather than clicking on a hyperlink and visiting a website to resolve the problem, this phishing scam asks its victims to call a phone number based in Erie, Pennsylvania. To add credibility to the attack, the email claims that the phone number is toll free, but it is in fact not.

bankoflancaster.png

Stealing credentials via phone remains a relatively rare phishing technique. For scalability, attacks like these are usually carried out by sending emails rather than initiating phone calls, and request that the recipient calls a phone number which purportedly belongs to the bank.

Ironically, phone phishing could prove more effective due to the methods some banks use to combat fraud. Some make automated phone calls to cardholders in the event of suspicious transactions, with the cardholder being prompted to respond by entering personal details before confirming a transaction. In practice, the cardholder has no way of ascertaining that the phone call is really coming from their bank, and expecting the cardholder to trust the automated caller is effectively grooming the bank's customers into falling for phone based phishing attacks.

The Bank of Lancaster County has published an alert advising customers about fraudulent emails that contain phone numbers, which when called, ask for personal information including account passwords and credit card numbers.