Internet con artists are turning to an old tool — the phone — to keep tricking Web users who have learned not to click on links in unsolicited e-mails.
Like traditional phony "phishing" e-mails, these said there was some problem with the recipients' accounts.
Phishing e-mails generally instruct recipients to click a link in the e-mail to confirm their personal information; the link actually connects to a bogus site where the data are stolen.
But with Internet users wiser about phishing, the new fake PayPal e-mail included no such link. Instead it told users to call a number, where an automated answering service asked for account information.
Security experts tracking this scam and other instances of "vishing " — short for "voice phishing" — say the frauds are particularly nefarious because they mimic the legitimate ways people interact with financial institutions.
In fact, some vishing attacks don't begin with an e-mail. Some come as calls out of the blue in which the caller already knows the recipient's credit card number — increasing the perception of legitimacy — and asks just for the valuable three- or four-digit security code on the back of the card.
"It is becoming more difficult to distinguish phishing attempts from actual attempts to contact customers," said Ron O'Brien, a security analyst with Sophos PLC.
Vishing appears to be flourishing with the help of Voice over Internet Protocol , or VoIP, the technology that enables cheap and anonymous Internet calling, as well as the ease with which caller ID boxes can be tricked into displaying erroneous information.
The upshot: "If you get a telephone call where someone is asking you to provide or confirm any of your personal information, immediately hang up and call your financial institution with the number on the back of the card," said Paul Henry, a vice president with Secure Computing Corp. (SCUR ) "If it was a real issue, they can address the issue."