"The normal way of spoofing is becoming less successful, and fraudsters are always having to look for new ways to do it," said Sara Bettencourt, spokeswoman for the e-commerce site PayPal.
"Voice phishing" con artists are sending emails, masquerading as communications from PayPal or Santa Barbara Bank & Trust, which instructs users to call a phone number that has a computerized voice ask for an account number. Bettencourt says PayPal would never verify an account with that information, and instead asks for phone numbers, email addresses and sometimes a credit card's last four digits.
"When you introduce a second element of communication -- that being the telephone -- it makes it appear to be a more credible effort to confirm or verify information," said Ron O'Brien, senior security analyst at internet security company Sophos, which announced the PayPal-targeted scheme Friday.
Experts recommend customers protect themselves from phishing scams by entering web site addresses into their browser (rather than clicking on provided links) and only calling numbers listed in the phone book or on bank-provided credit cards or statements.