Paypal phone phish uses IVR technology to defraud

Hybrid security scams are truly here, as witnessed by the latest scam to try and hit users of Paypal.

According to Sophos, the IT security vendor, a new phishing email is doing the rounds, supposedly from Paypal, but exhorting Internet users to call a phone number and then part with their plastic details.

Most phishing scams seen to date have centered around the use of HTML calls within the email, but this latest phish email, says Sophos, has a phone number for punters to call.

When dialled, users are greeted by an automated voice saying: "Welcome to account verification. Please type your 16 digits card number."

Now this is where it gets interesting, as the card number is check-summed and, if it fails the Visa/MasterCard checksum test, the system requests the user to enter the correct number.

Graham Cluley, senior persona at Sophos (for it is he -Ed) says that users are effectively handing their card details to cybercrims on a plate.

"Though it's an American telephone number, the fact that PayPal is used globally means that anyone could potentially be tricked into making the call," he said.

El Cluley says that the scam underlines a real problem for online companies in how they communicate with their customers.

"Many users are beginning to learn not to click on links in unsolicited emails, and only visit legitimate Web sites, but how many would know whether a phone number is genuine or not?" he said.

And it gets worse, as Cluley predicts that, as hackers get smarter, the industry is likely to see an increase in cases where, rather than setting up fake Web sites, hackers harvest voice messages from corporate switchboard systems to sound even more like a legitimate firm...