Experts note that to add credibility to the phish, the cyber criminals have stuck very closely to the text used on Kessler Federal's Web site and have included legitimate URLs which link to official advice pages, as well as the proper e-mail address for reporting abuse. However, the phishers did change the date, text and phone number at the bottom of the e-mail in an attempt to solicit phone calls to the posted number.
When dialed, users are greeted with an automated voice which assures callers that they will not be asked for any personal information such as a Social Security number. It then goes on to ask for the customer's bank card number, followed by the PIN -- sufficient information for the cyber criminals to steal money from the user's bank account at a cash machine, or to transfer funds to an off-shore account.
"By using genuine links in the e-mail, the cybercriminals are making it very hard for recipients to realise this is a phish. What's more, most computer users are now wary of clicking on links and entering their details, so asking customers to call to verify their information further enhances the legitimacy of the e-mail," said Graham Cluley, senior technology consultant at Sophos. "Phishing techniques are constantly evolving as the organizations and customers involved wise up to the old tricks. Plus, it's not just global brands that are being targeted -- any size financial organizations is valuable to phishers providing they can make their scams seem legitimate and trick users into handing over their personal details."
It is noted that this is not the first time that voice phishing (known as "vishing") has been used to trick innocent victims' into parting with their bank details. In 2006, PayPal users were targeted by a similar scam.
"There seems to be little that financial organizations can do to stop criminals cloning their switchboards lock-stock-and-barrel," explained Cluley. "To combat the risks, users should learn to use the telephone number on the back of their card or go into a branch rather than trusting everything they receive via e-mail."