Identity theft via Phone phishing alongside phishing emails being sent out, attempts are being made to get your personal details by telephoning you (termed Vhishing).

Callers phone up members of the public engaging them in conversation asking them to confirm details or pretending to sell them a product in an effort to gain personal details such as names, addresses, dates of birth and bank account details.

Two such techniques are detailed below.

Recent attempts have the caller pretending they were from the local Primary Care Trust calling about requests for Emergency Services.

The caller states that a call has been made for an emergency doctor and they are returning the call to arrange an appointment. The caller then asks a number of questions in an attempt to get the correct name, address, date of birth and telephone number. Mail Order accounts have then been set up in their names.

Other methods have callers pretending to be major companies, such as Argos promoting new deals on financial products such as accident cover. The caller then asks for birth details, marriage and family details and bank account details.

Advice…

Be aware when asked to give out personal details to unsolicited phone calls.

If unsure, telephone the company using numbers provided by a phone directory or service

Phishing attacks work by the scam artist sending “spoofed” emails that appear to come from a legitimate website that you have online dealings with such as a bank, credit card company or ISP – any site which requires users to have a personal identity or account.

The email may ask you to reply with your account details in order to “update security” or for some other reason.

The phishing email may also direct you to a spoofed website or pop-up window which looks exactly like the real site, but has been set up for the sole purpose of stealing personal information.

Unsuspecting people are then often fooled into handing over credit card numbers, passwords or other details.

How to protect yourself:

Never respond to emails that request personal financial information

Banks or e-commerce companies generally personalise emails, while phishers do not.

Phishers often include false but sensational messages (“urgent – your account details may have been stolen”) in order to get an immediate reaction.

Reputable companies don’t ask their customers for passwords or account details in an email.

Even if you think the email may be legitimate, don’t respond – contact the company by phone or by visiting their website.

Be cautious about opening attachments and downloading files from emails, no matter who they are from. Sophos uses SPF (Sender Policy Framework).

This is an anti-forgery solution which involves publishing a list detailing which servers are allowed to send Sophos emails.

Visit banks’ websites by typing the URL into the address bar

Phishers often use links within emails to direct their victims to a spoofed site, usually to a similar address such as mybankonline.com instead of mybank.com.

When clicked on, the URL shown in the address bar may look genuine, but there are several ways it can be faked, taking you to the spoofed site.

If you suspect an email from your bank or online company is false, do not follow any links embedded within it.

Keep a regular check on your accounts

Regularly log into your online accounts, and check your statements. If you see any suspicous transactions report them to your bank or credit card provider.

Check the website you are visiting is secure

Before submitting your bank details or other sensitive information there are a couple of checks you can do to help ensure the site uses encryption to protect your personal data:

Check the web address in the address bar. If the website you are visiting is on a secure server it should start with “https://” (“s” for security) rather than the usual “http://allyouneedtoknow.org”.

Also look for a lock icon on the browser’s status bar. You can check the level of encryption, expressed in bits, by hovering over the icon with your cursor.

Note that the fact that the website is using encryption doesn’t necessarily mean that the website is legitimate. It only tells you that data is being sent in encrypted form.

Be cautious with emails and personal data
Most banks have a security page on their website with information on carrying out safe transactions, as well as the usual advice relating to personal data: never let anyone know your PINS or passwords, do not write them down, and do not use the same password for all your online accounts.

Source: www.Sophos.com