Phishing by Cell Phone

From an alert reader:

I don't know whether to tell you, or RISKS, or the cops, but I just received an automated call on my cellphone that asked for the last four digits of my Social Security number. The script went:
Hello! This is not a solicitation! We have an important message for J-O-H-N DOE (my first name was spelled out, but the last name was pronounced). If this is J-O-H-N Doe, Press 1 now!

(after pressing 1:)

For your security, please enter the last four digits of your Social Security Number!

I have no idea who it was, because I'll be -- damned -- if I'd give out ANY digits of my SSN to an unidentified party. My cell's display is broken so I'm not sure whether there was any caller ID information on it, but I also know that can be forged. What company expects its customers to give up critical data like that during an unidentified, unsolicited call?

Sadly, there probably are well-meaning people writing automatic telephone scripts that ask this sort of question. But this could very well be a phishing scheme: someone trying to trick the listener into divulging personal information.

In general, my advice is to not divulge this sort of information when you are called. There's simply no way to verify who the caller is. Far safer is for you to make the call.

For example, I regularly receive calls from the anti-fraud division of my credit card company checking up on particular charges. I always hang up on them and call them back, using the phone number on the back of my card. That gives me more confidence that I'm speaking to a legitimate representative of my credit card company.

Posted on December 7, 2004 at 1:58 PM • 43 Comments

Comments

pigletDecember 7, 2004 3:35 PM

It's anyway a bad idea to use any digits of SSN for any authentification purposes. It's unsafe, SSNs are not secure and cannot be kept secure. And the insanely widespread use of SSNs make them such a nice target for all kinds of attackers. If any company asks you for SSN without a good reason, at least try to explain to them that what they are doing is stupid, if possible, withhold the information or don't do business with them. In Canada, as of January 1 2004, custumers now have the right by law to withhold their SIN except in clearly defined cases where it's legitimately needed. Sadly, many Companies haven't yet noticed. I'm about to complain to the privacy commissioner about my bank.

http://www.privcom.gc.ca/fs-fi/02_05_d_02_e.asp

Matt BrubeckDecember 7, 2004 4:13 PM

"The last four digits of your Social Security number" is more information than it sounds like, since the first three digits are assigned by location. An attacker who steals the last four digits could easily guess the first three in many cases, and could potentially brute-force the remaining two.

http://www.ssa.gov/foia/stateweb.html

rediguanaDecember 7, 2004 4:34 PM

Hmmm, tie this technique with NetCode discussed here recently and you can see why I'm not that excited about using mobile phones for authentication.

Ryan BarrettDecember 7, 2004 6:10 PM

Piglet: worse, for many people, the middle two digits are based on your birthdate. So, brute forcing may not be necessary!

(Yes, birthdate is often used as an authenticator too, but since most people don't attempt to keep it secret, it's even worse than SSN in that regard.)

Scot McpheeDecember 7, 2004 6:51 PM

American Express in Australia has the nasty habit of calling you up (from an Indian call centre) and asking for personal i.d. information - my mobile phone always shows their number as 'private'. This has happened to me several times and I've tried explaining to them why I'm refusing to give them any information but on subsequent attempts have given up. Then I hang up and call their customer service line. I still tried explaining to them that this is really stupid idea but it doesn't get through.

As I am currently on a contract at a credit information provider, I had a conversation with a business person here about Amex's stupid behaviour and he indicated to me that scams exploiting this behaviour are already know.

Yet Amex persist with this practice.

Emanuel CrispDecember 26, 2004 2:26 PM

HSBC in the UK also like to ask security questions when they call you up. When I've been called they've wanted to know my date of birth and/or the details of the last few transactions on my current account.

When I explained to the [polite lady from the bank / criminal mastermind] that I couldn't verify her identity, she gave me a verbal assurance! And yet banks are going to stop paying out to victims of phishing frauds in the UK - ridiculous.

vikramDecember 30, 2004 9:07 PM

hi,

phishing is a cocern, actually i am working on a product that will least protect u for phishing over the web but if we can extent in to mobile.

i will try to keep u posted if we extent it to mobile devices also.

Troubled_by_callsDecember 5, 2005 6:44 PM

This is awful. My fiance got me a cell phone. He's in Indiana and I'm in Texas. And I've been getting calls from this place in Houston (a private number) where they say - Can we speak to Mr. So and So. And they give my fiance's name. And when I ask them where they're calling from, which company, they just say they need to speak to him and its a Ms. Ventura or a Ms. Patricia. When I tell them he's not available, they say they'll call back. And they do, every morning and evening. Anyone know what to do?

FlamptonMay 19, 2006 7:52 AM

Got a call from 205-415-8530 (w/8664903799 also noted on caller ID) claiming to be American Express regarding an account opened in 04 and closed in 05 with money still owed and wanted last four digits of social security number.

JCJuly 24, 2006 1:33 PM

got the same call from 2064158530 asking for someone else but leaving the same 866 number asking that this 'other person' call them back with reference 95696995

bonesyAugust 29, 2006 10:33 PM

Got a similar call last Thursday, Friday, Saturday, Sunday, yesterday, and today (Tuesday). All begin w/a prerecorded voice "I am calling about an important business matter. [1 variant includes "This is not a sales call."] Please press "1" to be connected to a representative or call 866-488-4299. When calling, refer to number [computer voice] 4-0-6-9-4-5-8." I don't use caller ID, but a Google search of the # revealed that it belonged to a TrueLogic Financial Corp. out of Englewood, Colorado, USA. Needless to say, I have NOT returned their calls, being as (1) I have no past-due debt, (2) they couldn't be bothered to identify themselves at the outset, and (3) they couldn't be bothered to identify who they wanted to reach. Smells "Phishy" to me!

Angered oneSeptember 13, 2006 10:03 PM

bonesy, i have been gettin the same call 2 my cellphone as you, i dont answer it but they still leave a voice mail with the EXACT same thisn u said just the beginning was cut off--i have gotten over 30 voicemails from them every goddamn day, and, like u, i have no debt or anything worth of this nuisance. I totally agree with u...it seems "phishy" 2 me 2. Im gonna call sprint (my provider and report it--hopefully they can stop it)...

SOctober 26, 2006 1:26 PM

I am also now getting calls from TrueLogic to my cell phone. Their number is 720-974-0386. I didn't answer but my voice mail picked up. Very annoying. I don't have any past-due debt. I have complained to FTC and to Colorado Attorney General (TrueLogic is apparently based in Englewood CO). Don't know if this will help, but if everyone who is called complains perhaps they will do something ? F*ckers.

AnnetteNovember 10, 2006 4:59 PM

I get a message every single day (except Sunday) to call 866-488-4299. It seems that when I haven't called them back after at least the 10th message that they would get the idea!

janeNovember 15, 2006 8:56 AM

how can someone use my cell phone number to call my phone (it showed up as an incoming call but the phone did not ring). they then accessed my voicemail and deleted some very important saved messages.

SNovember 15, 2006 9:37 AM

I have also received daily messages on my answering machine to call 1-866-488-4299 with reference number 4716687. Finally sick of it, I called them. A young, friendly woman's voice answered, and asked which reference number I had. I said "4-7..." and she cut me off and told me the rest of the number. I do have my phone number visible for people with caller ID. She then asked me if my name was "Phillip Smith". She got my first name right, but I foolishly corrected her and told her my real last name. She quickly apologized and said that she would remove me from her list. I asked what this was regarding, but she said "I'm sorry, but I'm not allowed to disclose this by law". I knew it was baloney, but before I could say the next sentence, she hung up on me.

CarlitosJanuary 12, 2007 4:10 PM

Re: 866-488-4299 and others.
The best investment I've made lately is a fax machine that has a junk call/junk fax blocking feature. Mine is a cheap old Sharp UX-510 that will allow you to enter five junk numbers to be blocked. It works great. It blocks any number you have entered at the first ring and gives you a little report of what it did.
Other models may allow you to enter more numbers, but usually we've only had a few really annoying telemarketers at one time.
This could also be helpful if you have harassing calls from any other source, since you have a record of exactly when they called if you need something to show to the authorities.

BeverlyJanuary 28, 2007 4:30 PM

Well - it's sunday and i just got a call from these people. i am on the do-not-call list. i wish that reporting people like this would do any good but i know it wont. our senators and congressmen have more important things to do (like making sure they don't work too many hours at their actual JOB) than to bother passing laws that would enable police and other law enforcement agencies with the ability to actually prosecute companies that harrass citizens. and getting 2+ calls a day from this company constitutes as harrassment in my mind.

by the way - immediately after i got the call, i called back to tell them to take me off their list and if they bothered to call me again I would press charges violating the do not call order - and the recording said they're closed. how f*cking convenient.

pissedFebruary 18, 2007 9:46 PM

I've received daily calls on my machine from 866-488-2988 for like a month now.. I have caller id so I never answer calls from these kind of numbers.. last week i decided to call back but their message said they were closed on sundays.. another week goes by, and here it is Sunday, and they called at 10am. now they will never receive my return call- ever.

SophieMarch 4, 2007 10:09 AM

I have been experiencing the exact same thing, same message and number to call (866-488-4299 then a ref number) as "pissed." I do not answer, but the ongoing harassment is absolutely unacceptable, and this organization seems to be able to wiggle out of anything. I called my phone provider and they could only suggest blocking anonymous calls with *77, dialing *69 to get the number (didn't work) or doing call trace: You pick up and listen to the message, hang up on it, wait 10 seconds, then dial *57. I believe this routes to your local authorities and they trace the call for you. It can then lead to having to file legal papers, etc., etc. I don't know if it's worth it. I have no outstanding unpaid debt., but my ex-husband has plenty. If there are organizations to call, anybody out there, please advise!

NymsMarch 18, 2007 12:02 PM

I have a question for anyone that can help, how do you know if someone use your name and SSN to cosign for a student loan or a car loan? I called the credit bureau (experian) but they said that they would not know until the person miss payments (then creditors will contact me). I do not want to wait until it gets that far, because I am the one who would have to go through the trouble of convincing creditors that it was not me. My roommate went through all my military information when I left for vacation. It was my fault, I forgot to put them away. When I came back from vacation I found out that someone opened a credit card in my name, two weeks prior to the opening of school. I know deep down that it is him but his mom is a lawyer and she is giving him legal advice (that I cannot prove anything). Infact, they are trying to get me kicked out of the school because I am investigating it.

aprilApril 13, 2007 12:57 PM

I have been getting calls from 866-488-4299 for many weeks. My husband finally called back and the conversation was very fishy sounding. He then had me call as well while he listened on the other line. When I refused to give the man any info. he became very rude! my husband started yelling at him to never call us again and then the guy threatened to come here and kick our -. Fortunately, he does not really have our address. i doubt he will call here any
more but who knows?!

mad as heckApril 16, 2007 11:04 AM

I have been going through this as well. All of the sudden the last couple months we get a call a day every day. The message is always the same: I am calling with an important message, This is not a sales call. Please call back at 866-488-4299 and reference the following # and a recorded message gives out a number. They never say who they are or who they are calling for so I never call them back, but damn it is so annoying. I finally searched the number on the web and found out that it's a company called true logic. How do I make them stop!!!!

MattMay 10, 2007 3:21 PM

I too am getting calls every day from a recorded message instructing me to call 866-565-9161, with a "reference number". The language used in the call is somewhat scary. Apparently I "have failed to respond" and I "must call before end of business tomorrow" on this "important business matter". I am told that this "is not a sales call". Now, I have excellent credit and no outstanding debts or collections or anything like that, so this is obviously some sort of scam. Of course I have no intention of calling them, but I'd love to find out who they are and what they're up to. The daily calls are getting annoying.

AMSMay 19, 2007 9:20 AM

I have been receiving the same types of calls, but the numbers is 877-729-7449. They are starting to bug me, so I googled today and only came up with one site where they were using so many abbreviations I couldn't understand what they were talking about. All these discussions about credit make me want to pay to get my credit report again (I've used up my free one). But, then again, it is likely a scam, right? If it were a real creditor seeking you out because of a non-payment issue, wouldn't they ask to speak to you directly? I have no experience with this, as I've always paid everything as needed.

BarbaraMay 24, 2007 6:58 AM

How do I keep my cell number from showing on someone's caller ID Number

AMSJune 6, 2007 7:37 AM

Barbara, the only ways I know are to get a private number (I have a friend whose cell phone is private, so I know it can be done) or to block the number using *67 when you make a call.

gimmeyourmoneyJune 27, 2007 12:59 PM

It's a collection agency. Pay your bills and you will stop getting phone calls. If the calls aren't for you, be nice and call the company and tell them they are calling the wrong #. With the use of cell phones growing at a fast rate, the number of recycled #'s are out of hand. Unless you tell the people calling you they have the wrong #, they will continue to call you.

cindyJuly 9, 2007 11:27 AM

My problem is that a creditor keeps calling my cell phone (which I've now had for 3 years) asking for what I thought was a previous owner. This began when I first got the phone. I spent lots of minutes listening to voice mails that were not for me. Eventually I called the creditor's number and tried to convince them I'd never heard of this person and asked them to stop calling. It worked for a while but the calls began again.... asking for a different person! (maybe an alias of the deadbeat?) Eventually these calls stopped but now I am getting calls for the first individual. I am reluctant to call back and tell them (again!) I am not this person. I think they may think i'm the guys girlfriend trying to lead them astray or worse, that it is actually a scam.

sbAugust 2, 2007 8:13 PM

My cell ph number got hijacked.. evidently, people are getting calls from a number that is displayed as mine. I have not made these calls. When they answer, there is no one there and no recording. How dumb is that. Then, they call me back and I answer and they are so irrate that 'I' have called them 25 times. What to do? verizon has no idea. If I cancel my cell phone, these people will still get that same call I would think.
Seems illegal to me. How do we find out what telemarketing company is doing this?
Thanks

sbAugust 2, 2007 8:13 PM

My cell ph number got hijacked.. evidently, people are getting calls from a number that is displayed as mine. I have not made these calls. When they answer, there is no one there and no recording. How dumb is that. Then, they call me back and I answer and they are so irrate that 'I' have called them 25 times. What to do? verizon has no idea. If I cancel my cell phone, these people will still get that same call I would think.
Seems illegal to me. How do we find out what telemarketing company is doing this?
Thanks

AmyAugust 9, 2007 2:23 PM

From 866-565-9161 I have had this voicemail message twice - call the number to resolve, give this reference number, etc. - on my cell. The name given that they're trying to contact is completely unknown to me. It comes up as "unavailable" when they call, so I don't answer. Annoying.

BillAugust 24, 2007 2:40 PM

This number is to True Logic Financial Services. They obtained my phone number by unknown means and asked for some lady I never heard of. It's a collection agency....check out rip-off reports on the net. They have a bogus reputation.

CindyAugust 30, 2007 2:49 PM

Phishing by cell phone? I just want someone to know about this and you guys were the only place I could imagine might want to know. Nothing horrible has happened to me yet.

Today I received an "unknown call".
The caller left a message ( I saved it) explaining they were from the hospital and needed to confirm my billing information. Left an 800 for me to call to provide my "Insurance company name, subscriber ID and Date of Birth" They even left a "reference number".

Just in case the call really was for me - I called the number from my cell phone and heard a pre-recorded pleasant sounding womans voice:
"Hey get a text message with information on the number you've dialed. The number you have dialed has new information. Please Press any touch tone now from your cell phone to receive a the information on the number you are calling..." Then she proceeded to inform me that standard use fees (presumably from my phone company) would apply and that the " Locator service was provided by SMS VW".

I hung up. I thought it amazing that they - whoever they are - would know I was calling from a cell phone. I tried the same number from my land line and got "The number you are calling can't be reached from your calling area"

So I don't know what the "Scam" is or what would happen if I pressed a key on my cell phone like I was instructed - but its a pretty clever set up whatever it is and someone should look into it and warn folks to be careful.

kaySeptember 12, 2007 11:05 AM

I received a call this morning to my cell phone. Someone was in my office so I did not answer the phone. I chack after 5 minutes on miss call and it was my cell phone number. I called Verizon but they do not know how that can be happening. Anyone have any suggesstions? Someone may have hacked on my phone?

Mr. KOctober 23, 2007 1:24 PM

I just received a call from 866 488-4299 on my cell. When I picked up there was real person, a male, he asked for somebody and I told him he probably dialed a wrong number. I asked him to repeat the number he tried to reach, but he refused and he also refused to repeat the name of the person he asked for at the beginning of the call.

CINDY TNovember 10, 2007 12:54 PM

My daughter has been recieving very threatening calls but the number is private and blocked, the police suggest changing the number however she is a teacher at a handicapped facility and her number is very public, is there a way to locate a priavte blocked number to give to police?

concernedaswellDecember 27, 2007 7:14 PM

I received a call on my cell from an unknown number and it began w/a prerecorded voice "I am calling about an important business matter.This is not a sales call." and then said to call back and refer to a reference number. The reference number they used was my full ss#. It didn't even leave a return # and didn't say who it was. Any insight would be appreciated.

AnonymousJanuary 3, 2008 9:51 PM

I've been receiving the same message as the one that concernedaswell received (from 866 488-4299). Today, I picked up the phone when it rang, and hit #1 as the recorded voice suggested. A guy answered "Hello?". I asked him why he called. He asked "Are you Tina (last name)? I said I'm not and no Tina lives here. I then asked why he was calling me. He said "Well, if you're not Tina, that's none of your business, is it?" I replied "Hey buddy, you're the one that called me". I told him I wanted him to stop calling me. He said "Well, if you're not who I'm looking for, why would I want to keep calling you?" Anyway, I recalled that about 5 years ago, someone from a collection agency called to ask me to have my "neighbor Tina" give them a call. Seems they had done a skip trace, found out where Tina lived, and decided to call one of her neighbors to relay their message. I did have a neighbor named Tina at the address where they believed her to be living, but she had married and her last name was different. It was probably her, but nevertheless, I never contacted my neighbor with this info. Now, I'm guessing that that collection agency must've listed my number as a number where Tina could be reached, and decided to start calling me again for HER debts! Anyway, if anyone you don't know ever calls for one of your neighbors, DO NOT even let them think you know who he or she is.

shariJuly 8, 2008 9:40 AM

Please help me...my friend keeps getting a call on his cell phone showing my number. I'm not calling him, I even showed him my cell phone bill. I changed my number and it is happing again...it's making me feel very uneasy. My online account is always temorary locked (like someone is trying to get into my account)My AT&T service says it is not possible for someone to use my number. I'm starting to feel as though this friend is not a friend he is a attorney and to be honest I'm really nervous.

Imran MemonFebruary 5, 2010 3:05 PM

Finally I have develop Anti-Phishing Application for Mobile Phones.

It's very Easy and Compilable with
Smart Phones as well as Dumb Phones/Non-Symbian Phones.

I will publish application soon along with Research Paper.

If you have query then write to me.

Regards,
Imran K. Memon
Pakistan

JohnApril 10, 2011 7:12 PM

Today I got a machine-generated voice call on my mobile (iPhone 3GS on AT&T, not cracked) which must have been a phishing attempt.
This call was of great interest to me for two reasons:
1) I am familiar with 'traditional' phishing, and about 30 seconds of Googling familiarized me with SMiShing. This phish was a voice call.
2) The voice call originated from the number "639-0". I have never seen a voice calling number displayed in other than the US-standard 7 or 10 digit format. However, I have seen such 'nonstandard' numbering formats on text messages both from the service provider and from the service provider's e-mail-to-text gateway. The appearance of such a 'service'-appearing calling number makes me wonder if the phisherman has penetrated AT&T's network.
The phish itself was unremarkable. It wanted the account number, expiration date, and PIN for a J P Morgan-Chase prepaid card (which I don't have). The voice was the same synthesized female voice typical of commercial AVR systems. The phish apparently didn't check account validity, as it was happy to accept zero for each value. I suspect the origin is outside the US, as the J P Morgan-Chase banking conglomerate brands its consumer services as "Chase", and a US scammer likely wouldn't have chosen this awkward phrasing.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..