Vishing Scam Hits Rural RegionsUtah Scheme Reflects New Threat to Banking Customers Two vishing attacks, likely perpetrated by the same scammers, hit several Provo, Utah, residents this week. One automated-phone message called consumers, claiming their debit cards had been closed. The other attack targeted residents in the same region, purporting to be a call about service disconnection from the Rocky Mountain Power company, which provides electricity to Utah, Wyoming and Idaho.
"This is first time that I've seen a two-pronged scam," says John Buzzard, who oversees client relations for FICO's Card Alert Service. This service provides decision management and predictive analytics solutions for card issuers. "They're just learning that there's more than one way to get consumers to panic."
Buzzard says the Provo case is an example of an emerging trend - phone scams that target consumers in rural areas. The debit-card attack encouraged consumers to call a number, after which a recording prompted them to enter their 16-digit debit-card numbers along with their PINs. Calls were made from six different numbers, including a toll-free number: 443-912-1000, 305-555-5555, 888-839-3613, 954-447-4110 , 412-381-2300; and 954-447-4110.
"These scams happen all the time, but they kind of sweep region by region," Buzzard says. "Recently, we've seen them pop up in low-fraud, small places," so they're hitting consumers who might not be so savvy or prepared for a social engineering attack. Thousands of consumers in Utah were targeted, and while it is unknown how many fell victim to the scam, hundreds are suspected of being affected.
The two scams were unique for a couple of other reasons. First, the debit card scam was not geared toward any specific financial institution's customers or members. When the calls came through, the recording did not provide an institution name. "They really went for a generic kill," Buzzard says. The fraudsters used robo-dialing, during which certain area codes were selected and called using a Skype-like Internet technology.
Second, the perpetrators cast their net beyond debit cards, with the calls that alleged disconnection of service from Rocky Mountain Power. "It's a brilliant move," Buzzard says. "No one wants to have power turned off."
Two RecommendationsBuzzard offers two bits of advice to institutions concerned about similar schemes in their regions:
- Prepare: Have an action plan before an attack occurs. When a consumer calls to verify if a card is has been closed, know whether your institution will handle such calls itself or outsource crisis management and response to a third-party.
- Authenticate Transactions: Do so by verifying CVV and CVC values embedded in the magnetic stripe. "Financial institutions have to make sure that they're authenticating that code on every debit card for every financial transaction for that card," Buzzard says. "If the value is missing or is incorrect, then you deny that transaction and you don't lose any money. It's pretty simple."