"Part of the danger here is just the fact that it is novel," said Adam O'Donnell, Senior Research Scientist at Cloudmark, an email filtering company in San Francisco. "Most people are pretty comfortable calling to a phone number that they think is their bank's."
So far these phone phishing attacks have not been common. Cloudmark first detected them in mid-April and they stopped after continuing on a very limited scale for about three days. "It looks like a single scammer doing a proof of concept," O'Donnell thinks.
Cloudmark intercepted about a total of 1,000 of these phishing messages, a small number considering that Cloudmark's email filtering service is used by approximately 100 million customers' mailboxes.
However, the phishing attacks caught Cloudmark's attention because they use a telephone number, which was served by a small U.S.-based VoIP carrier. This made them some of the first to leverage the cost savings of VoIP, O'Donnell said.
VoIP services are attracting phishers because they allow customers to set up numbers anywhere in the globe. The costs are low for thieves to set up a phony professional line, given they can also be combined to a telephone software.
Spammers have already been taking advantage of this inexpensive technology, using phone numbers instead of web sites in their email solicitations, but this was the first time Cloudmark had seen the approach used by phishers, he said.
O'Donnell refused to reveal the name of the regional U.S. financial institution that was affected by these attacks.