Phishers turn to fax scams

Phishers have added a new lure to their tackle boxes: emails that ask people to fax sensitive information to bogus security investigators.

In a new scam, attackers are sending email warnings that appear to come from PayPal, security specialist Sophos said on Wednesday. These emails say that someone tried to reset the recipient's password and asks him or her to participate in an investigation.

The emails direct people to a Microsoft Word document hosted on a website and urges them to download the form, fill it out, and fax it to a toll-free number, Sophos said. The form asks for credit card information.

The new tactic comes as people are becoming more suspicious of emails asking them to fill out sensitive information online, said Graham Cluley, a senior technology consultant for Sophos.

"We've seen a few attempts of this in the last few days, where phishers are trying out a new technique with people who have learned their lesson about filling out forms on a website," Cluley said. "They're hoping people will feel it's safer to fax back a form."

"It seems like a dumb way for the phishers to operate," Cluley added. "The authorities can easily track the phone number. But what isn't clear is whether they will get a [toll-free] number and then quickly dump it, or [whether they've] acquired the number using a false ID, or can have the calls transferred to a satellite phone somewhere outside of America."

Email-based phishing attempts may be getting less effective, though. As with other types of unsolicited mail, people are increasingly glossing over these messages as they troll through their inboxes, Cluley said. Phishers, as a result, are likely to be finding their mail-based efforts less fruitful.

"Trojans and worms are becoming more popular, because the information can be gleaned surreptitiously," Cluley said. "It's the way the trend is going."

Dawn Kawamoto writes for CNET News.com