While driveby malware downloads and browser in the middle attacks capture imaginations and headlines, a recent thread on an antiphishing discussion list highlights that criminals are happy to go Old School when low tech provides a convenient means to steal identities.
Offline phishing convinces victims to fax personal or sensitive information to a phone number provided in an email message. The email message may include a form to print and send by fax, or it may ask for a copy of a document containing personal information. The attacker doesn't require botnets or a heavy tech footprint to receive fax. He can utilize "use once then throw away services" - free fax-to-email services and free email accounts that set a low bar for user verification or have poor defenses to counter automation - and access these from public Internet kiosks.
A typical tax refund phish or bank phish asks targets to visit a hyperlink. An offline phish asks the target to submit personal information via a fax. Putting on my creative criminal hat, I can imagine that an offline phish could be very persuasive:
As part of our continuing efforts to improve our electronic services, and because of the growing concern over phishing, we are discontinuing the use of email messages containing hyperlinks to our secure site.
We are implementing a secure fax submission process for updating our records. Our fax service is not connected to the Internet so your correspondence will remain confidential and secure.
Please fax the attached form to submit a new login and password for your account to <number>.
Offline phishing attempts to defeat antiphishing education that discourages mail users from clicking on hyperlinks in email they receive. Phishers expect that the absence of hyperlinks will convince certain users that this mail is legitimate. Any financial institution, healthcare or government agency is as vulnerable to this form of phishing as hyperlink based phishing.
All the conventional advice to protect yourself against phishing apply to offline phishing. Read the message carefully. Don't act in haste. Contact your bank or agency using contact information other than what you receive in the email message. Ask them to verify the new process.