Blown To Bits

Phishing by Phone

Sunday, April 20th, 2008 by Hal Abelson



As everyone keeps telling us over and over, we should never send sensitive information to an email address, or enter it into a web page, unless we’re confident we know where it’s going. Tricking people with bogus network addresses is called phishing. It’s an online fraud that goes back to the pre-Web days of America On Line, but its prevalence has skyrocketed over past decade because it’s so easy to accomplish with today’s web browsers. A text link you see on a web page might read ‚Äú,‚Äù but if you were to examine the program code, you’d see that it’s not Bank of America’s web site you visit when you click on the link, but some other site, perhaps located in Eastern Europe, which looks just like the Bank of America site. Enter your account number and password, and they are dutifully stashed away as loot for identity thieves.

It’s a well-known trick, and even people who should know better get fooled all the time. For the past several several months, a large fraction of the MIT community has been receiving email messages from ‚Äúthe MIT network administrators‚Äù telling them that their MIT email accounts are about to expire and they need to re-register by emailing their password to an address shown in the message. You’d think MIT people wouldn’t fall for this, but it happens. The real MIT network administrators watch for email outgoing to the bogus address and contact the hapless victims, a group that’s included a few faculty members in the past month.


When everything is bits, frauds easily cross from one domain to another. In a variant of phishing known as vishing (‚Äúvoice phishing‚Äù) the perpetrator uses bogus caller ID information to trick victims into thinking they are being called by a bank, mimics the bank’s automated answering system, and asks for credit card information to be entered by touch tone. Spoofing the caller ID information ‚Äì making a fake phone number appear on recipient’s caller ID display ‚Äì is simple thanks to Voice over IP and the open Internet architecture that lets anyone create phone applications. There’s phone software widely available that includes spoofing as a ‚Äúfeature,‚Äù and even services like that will sell you an account from which you can make spoofed phone calls: merely type in the called ID number you’d like your recipient to see, and call.

Just today, I encountered a variant of this trick I hadn’t seen before ‚Äì a cross-domain phishing hoax (phvishing ?) that almost fooled me. It came in the guise of an official looking email from Bank of America informing me that I needed to call them ‚Äúregarding recent activity on your account.‚Äù The email included the usual strong warnings against replying by sending account information by email. No bogus phishing links on this web page: all the links really did go to the BofA web site. But phoning the 800 number reached an official sounding automated answering system that asked me to punch in my account number, expiration date, and credit card validation code. It then told me that my card information had ‚Äúalready been registered‚Äù and everything was OK. Luckily, the email spoof was poorly done, and a close look at the return address showed that the mail was bogus, so I knew enough not to enter my real credit card data. It turns out that this hoax has been around since at least 2006; I just hadn’t encountered it before.

I doubt that I would have been fooled for an instant had this been a pure email hoax or a pure phone hoax, but the combination of the two was something I hadn’t expected. We all know to be cautious about internet messaging, but fewer of us feel are as suspicious about phone numbers, especially when we’re the ones doing the calling, as with the phony Bank of America number. The root of this difference in attitude is that the Internet (as described in Blown to Bits) has grown up as an open architecture, while the phone system has not. As the communication systems converge, they produce hybrids to which our instincts and attitudes are not attuned. Where this will end up, we don’t know. But of this we can be certain: digital convergence will continue, and so will human fraud.



One Response to “Phishing by Phone”

  1. cell jammer Says:

    great post! How about an article on cellular phone jammers