Recent reports about a new type of phone scam which uses VoIP - called “vishing” - certainly are alarming, but they may mark just the beginning of a new era of sophisticated scams used to gather people’s credit card numbers and other personal information.

Unfortunately, VoIP makes it more important than ever to verify who you are talking to on the phone these days – because it might not be the person who you think it is.

In “vishing” attacks - the latest permutation of “phishing” attacks - the scammers can “spoof” your caller ID to make it look as though you’re getting a call from a legitimate bank or other organization. In addition, the auto-attendant’s voice on the other end of the line might be an exact “copy”of the one used on your bank’s phone system, thus fooling you into believing you have really been contacted by your bank.

Once the scammers have you on the line, the auto-attendant informs you that one of your credit card accounts has in some way been compromised, and that you must dial a provided toll free (VoIP) number and talk to a representative to get the matter straightened out. You then dial the number and make your way through a “phone tree” which is similar, if not identical, to the one used by your bank. At a certain point, you will be prompted to enter your credit card number and perhaps other key pieces of information. Once you’ve entered the information, that’s it … the call usually ends, and the scammers have recorded all of the information they need to tap into your credit card accounts. You never actually speak to a live person - the “spoofed” phone system does all of the work. Meanwhile, the scammers are already breaking down the “fake” VoIP phone numbers they set up, so as to avoid detection by law enforcement, and are soon off to set-up the next set of “fake” numbers to deploy yet another round of scams.

What makes this type of scam so insidious is that it is guised in a routine which is familiar to practically everyone (i.e. entering information via a bank’s phone system has become a normal procedure for most people when doing banking over the phone), thus making victims feel “comfortable” and safe with what they are doing.

Ask just about anyone with limited knowledge on the subject if they think it’s possible for someone to “spoof” the number showing on their caller ID and chances are they’ll say there’s “no way” that could happen. After all, for decades we’ve all assumed, and counted on the fact that the technology which the phone companies provide is secure and practically “scam proof.” But with VoIP-based scams like the new “vishing” attacks now on the rise, that level of trust is about to change very quickly. Now, consumers must learn a whole new set of precautions in order to protect themselves from these clever attacks.

What makes this all the more alarming is the fact that these scams will only become more sophisticated over time. Although it hasn’t been done yet, at least on a widespread scale, it is entirely possible that scammers could record your voice, via VoIP, and then digitally alter it to fool others into believing they are actually talking with you on the phone. This could be used to augment the strategies used in current and past scams. For example, in the past there has been a scam where someone pretending to be from a law enforcement agency calls from a foreign country and tells a victim that a friend or relative has been arrested, or is in some trouble, and needs money wired to them so that they can get out of a jam. Very often, the unsuspecting victim just assumes that the call is coming from an authentic law enforcement agency –so he or she just goes a head and sends the money.

Now imagine taking this scam to the next level by adding a truly convincing ingredient: your friend or relative’s “spoofed” voice. A sophisticated scammer could, using digital audio editing technology, record your relative’s voice and then edit it in such a way so that he says things that he never actually said (such as “yes, I’m in trouble, please send the money”).

For now, this might seem a bit far fetched - after all, there haven’t been any reports of widespread scams involving “spoofed” voice recordings - and, obviously, it would be difficult to have a “recorded voice” engage in free-flowing conversation with a live person. But as audio technology advances, it might be possible for scammers to “impersonate” their victims (or their relatives) over the phone with greater ease and better results (keep in mind that they can already “impersonate” valid phone numbers using caller ID).

Because VoIP calls are, in essence, digital voice signals traveling across the Internet, it is entirely possible for a scammer to intercept a call and then “record” the voices contained in that conversation with superior clarity. The scammer could then edit or alter the recorded voice of one of the parties and then use that recording to place a “fake” call to someone else. And it might not necessarily be for the purpose of extracting credit card information, either – it could be simply to get the “victim” to take some other action, such as meeting someone in a secluded area, so that the perpetrators can carry out a robbery or some other crime. (Example: It could be your “mother” calling to have you come and help her with a flat tire ….) When one considers the sophistication of the attacks being carried out today, it seems entirely possible that a whole new level of impersonation could soon come to the fore.

OK, so maybe you’re laughing now and thinking that VoIP impersonation will never become much of a threat. Yes, it’s true that, with some diligence, it is fairly easy to protect a VoIP network from such abuses. But as to the possibility that such a scam could come to be, there is plenty of evidence right on the Web which shows that it could. For example, in a March article in Converge! Network Digest, Haim Melamed, AudioCodes’ director of channel marketing, said accomplishing impersonation on a VoIP network is just as feasible, if not more so, as it is on a TDM network:

“TDM telephony networks have no built-in authentication and identification,” Melamed explained in his article. “The end terminal – the phone gets its identity and phone number from the access port it is connected to (PBX or Class 5 Switch). In addition, any PBX port can host more than one physical phone - all sharing the same number. These attributes make impersonation in the TDM telephony network as easy as eavesdropping. All you need to do is tap into the line, connect to the two wires in the last mile, or into a trunk, and nobody will ever be able to prove who the actual initiator of the call was.”

“Unprotected VoIP networks are more susceptible to impersonation,” Melamed continued. “Since IP networks are geographically independent, the interested party can impersonate from anywhere on the network and act like he is someone else.”

Although Melamed goes on to explain that “protecting a VoIP network from impersonation is relatively easy,” there’s still a potential for such scams to blossom on today’s networks - many of which are still poorly protected.

But you don’t have to be an expert on network security, or even understand how VoIP technology works, to see how easy it is to use it to impersonate someone – for example, just look at the “impersonation ringers” that are widely available for cell phones. With these clever little recordings, you can have your cell phone automatically answer your calls using the voice of, say, Marlon Brando, W.C. Fields, Tori Spelling or Alfred Hitchcock, instead of your own. If the companies which operate in the ringtone arena are able to create audio recordings that sound this real, just imagine what a hacker might be able to do with your voice.

If VoIP impersonation reaches the point where it becomes widely adopted by scammers, the possibilities for its use are practically limitless: It could be used for something as serious as someone posing as an employee of an IT group and calling a company executive to ask for a password; or it could be something as innocent as a high school student using it to “fake” his mother’s voice and having her call him in sick for the day. Someone could use it to make a false report to the police without revealing their true identity; or someone could use it for “verification purposes” when making certain financial transactions. Espionage … harassment ….the field remains wide open, in terms of the potential applications.

And the technology is, for the most part, already available. There are currently many sites on the Web that offer everyday users the ability to spoof caller ID, conduct wiretapping and use fake voices to make phones calls. One such site, www.spoofcard.com, proudly tells visitors that its technology “offers you the ability to change what someone sees on their caller ID display when they receive a phone call,” and that it offers software which enables users to change their voice to either a man’s or a woman’s. “Fun and inexpensive,” the spoofcard.com Web site states. “Easy to use and fast to set up!”

All this adds up to basically one thing: In order for VoIP to truly become a mainstream technology, VoIP providers will have to find some way to prove to consumers that their networks are secure from hackers. How they will do this, I do not know … but it’s never a good thing when a new or emerging technology has to carry with it a host of warnings and precautions. Consumers will always tend to be wary of new technologies which carry new threats. And considering the climate of today’s world - plus the sweeping changes in communications which are now under way - consumers will naturally tend to be more suspicious, rather than less.

But for now, maybe a little bit of suspicion is a good thing …

------

Patrick Barnard is Associate Editor for TMCnet and a columnist covering the telecom industry. To see more of his articles, please visit Patrick Barnard’s columnist page.