The five largest U.S. banks – and thousands of their consumer and business customers – were targets of phone-based phishing fraud in the second half of 2011. In total, the attacks targeted 30 of the 50 biggest banks in the nation.

New York is the state with the most potential victims, with over 22,000 of these so-called “vishing” (voice-call phishing) incidents reported between July and December 2011. There were 21,000 incidents in Washington, D.C.; 19,500 in Phoenix; 18,500 in Portland, Ore. and 18,000 in Seattle. While financial institutions focus on strengthening the security of online banking, criminals pursue the next weakest link: unsuspecting customers and bank employees who can be duped into divulging information over the phone.

A recent report in Dark Reading offers some operational insights on the attacks, in which criminals spoof their caller ID to make it appear that they are calling from a legitimate financial institution. Posing as bank employees, the fraudsters solicit private account details, then use that information to withdraw funds and drain accounts.

These schemes are apparently a growing and lucrative niche for organized crime. Investigators have traced around 300,000 numbers used by the criminal gangs, many of which originate overseas on VoIP call networks. One of the major gangs reportedly used 4,000 different phone numbers. The attackers can utilize software that enables them to show whatever phone number they want on the target’s Caller ID.