Sophisticated Voice Phishing Scams

Brian Krebs is reporting on some new and sophisticated phishing scams over the telephone.

I second his advice: "never give out any information about yourself in response to an unsolicited phone call." Always call them back, and not using the number offered to you by the caller. Always.

EDITED TO ADD: In 2009, I wrote:

When I was growing up, children were commonly taught: "don't talk to strangers." Strangers might be bad, we were told, so it's prudent to steer clear of them.

And yet most people are honest, kind, and generous, especially when someone asks them for help. If a small child is in trouble, the smartest thing he can do is find a nice-looking stranger and talk to him.

These two pieces of advice may seem to contradict each other, but they don't. The difference is that in the second instance, the child is choosing which stranger to talk to. Given that the overwhelming majority of people will help, the child is likely to get help if he chooses a random stranger. But if a stranger comes up to a child and talks to him or her, it's not a random choice. It's more likely, although still unlikely, that the stranger is up to no good.

That advice is generalizable to this instance as well. The problem is that someone claiming to be from your bank asking for personal information. The problem is that they contacted you first.

Where else does this advice hold true?

Posted on October 2, 2018 at 3:09 PM • 28 Comments

Comments

ChelloveckOctober 2, 2018 4:40 PM

I got a call from my credit card company once. They wanted me to verify some personal information so they'd know they were talking to the right person. The person on the phone just couldn't understand why I refused. I tried to explain but they just didn't get it. I hung up and called my CC company at the number on the card. Much to my surprise, it actually *had* been one of their service reps who had called me! This was maybe 5 years ago. Hopefully they're better trained by now.

GeoffOctober 2, 2018 5:27 PM

Never use the word 'yes' in an unsolicited call. Utility churners record all your words and try to get you to say certain things. This is then used to create a recorded agreement using this audio sliced up as appropriate. Suddenly you find you have switched providers!

Not LikelyOctober 2, 2018 7:15 PM

@Geoff - that's an urban legend. No evidence of that happening anywhere.

If a "yes" was all it took to commit fraud, there's a lot of good voice editing software to phonetically copy anyone's voice.

anOctober 2, 2018 7:45 PM

@ Chelloveck: Yep. I've routinely gotten spam emails from my credit card companies. Please click this link to verify your recent purchases. They don't understand why I won't do that. Or my kid's school, so many click this link emails. I complained about it. They ignored me. Then they got phished badly, some nasty email-propagated malware. And all these administrators started coming up to me "Hey you were right". Yeah, no shit sherlock. You should see my spam folder!

ArclightOctober 3, 2018 12:46 AM

The quality of these scams has improved greatly over the last 20 years. Meanwhile, the quality of actual, legitimate communications from banks and other companies has deteriorated due to outsourcing and badly-coordinated marketing campaigns. We're close to the point where the two are indistinguishable, even to people like us in the industry.

NobodyOctober 3, 2018 1:51 AM

Isn't the real problem the fact that anyone can fake their phone number? I mean, isn't it the duty of cell phone providers to correctly identify the origin of a call?

Z.LozinskiOctober 3, 2018 4:07 AM

@Nobody,

We have discussed this in the past. You cannot rely on caller id. While a cell phone provider probably does identify the calling line id correctly, there are lots of ways to spoof caller id. A business PABX, or any internet connected SIP phone can easily generate a caller id that is different to the actual calling number. (There are legitimate uses for this, which is why it is allowed. Businesses often set the caller id to the main switchboard number, not an individual desk number. Same for call centres).

We need to teach people to return sensitive calls by dialling themselves to numbers they have already verified.

(And yes, you can intercept a dialled number, but it is significantly harder, and will leave a trace).

wiredogOctober 3, 2018 5:25 AM

Huh. Don't often get spam comments on this blog like the one above. Surprised there's not a "report spam" button on comments here.

kergvbOctober 3, 2018 8:38 AM

@Kim I wonder though, how does one avoid plastic entirely? At the very least, it takes an ATM card to get my cash out of the bank. Maybe I could write myself a check? I never tried that. Always just deposited checks instead of cashing them.

ModeratorOctober 3, 2018 8:52 AM

@wiredog, we get spam comments on this blog every single day; most are deleted before most visitors get a chance to see them. To report spam, please address a comment to @Moderator with the username or direct link to the offending comment. Thanks again to everyone who helps with this process.

vas pupOctober 3, 2018 9:14 AM

@Bruce and @Z.Lozinski • October 3, 2018 4:07 AM

(1)Caller id could be spoofed. But that is currently illegal by Federal law. Unfortunately, I did not recall when some scum bag was additionally punished by federal authorities to do that.
(2)ANI (Automatic number identifier) which is on 800 like numbers could not, but as usually average Joe/Jane interest on privacy and fraud protection is basically only declared. Even in former soviet republics as ussr collapsed it was available for anybody to by home land line phone with ANI, but they accept (bleeping) business model as we have now meaning there is middle man as your phone company who want to charge you for caller id service which is miserable: as best they provide on name line: 'state name CALL' - e.g. Nevada Call' or 'Wireless Call' - no wireless provide specified, and now when mid-term election is coming, I get 'Unassigned number'. When somebody call you from Europe (e.g. Germany) you get: 'Unknown name', 'Unknown number', but when You call to Germany (land line to land line) they could get on their caller id the whole you home phone number. Why? because main provider for this service in us is monopolist at&t which huge lobbyist team (you know where), There are very fast to increase your service charges, but as a snail on improving of quality of that particular service.
Suggestions:
(1)All financial institutions should provide their name when calling to the customers (no BS as tool-free number) It should be e.g. 'City Bank' and number verifiable on the internet that is actually belongs to City Bank, insurance company, CC.
(2)I complained in a past to us postal service, and no kidding get on caller id 'Federal Gov' and actual number. That should the rule, not exception.
(3)ALL telemarketers, solicitors, polls should register ALL their phone numbers in special FTC data base, so you could verify who calls.
(4)Feds should take real action on requiring implementation of caller id spoofing regulation with hard fines (other effective civil/criminal measures) for each case considering them as fraud attempt.
But, as you know NOBODY is going to listen. Money of phone provider speaks louder...

NobodyOctober 3, 2018 10:32 AM

Hmm, but I don't understand. So, the caller ID is like From: field in an email? And there is no way to have an analog of email headers for the call?

I'm asking because to me the most startling aspect of the report was that scammers appeared to call from a legitimate number...

vas pupOctober 3, 2018 10:43 AM

@all:
https://www.law.cornell.edu/uscode/text/47/227
Good link for subject regulation.
That what got my attention:
"(e) Prohibition on provision of inaccurate caller identification information
(1) In general

It shall be unlawful for any person within the United States, in connection with any telecommunications service or IP-enabled voice service, to cause any caller identification service to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value, unless such transmission is exempted pursuant to paragraph (3)(B).
[Who has crystal ball to identified intent at the time of call? Looks like it could be considered unlawful if and only if you get OTHER/additional negative consequences. As usual, laws is vague, but not in victims(you) favor) -vp].

(ii) Specific exemption for law enforcement agencies or court orders The regulations required under subparagraph (A) shall exempt from the prohibition under paragraph (1) transmissions in connection with—
(I) any authorized activity of a law enforcement agency; or

(II) a court order that specifically authorizes the use of caller identification manipulation.

[I guess (I)should require (II) as a RULE to be legitimate except when there is urgent danger for people, property, bomb threat - you name it - vp]

(1) State law not preempted Except for the standards prescribed under subsection (d) and subject to paragraph (2) of this subsection, nothing in this section or in the regulations prescribed under this section shall preempt any State law that imposes more restrictive intrastate requirements or regulations on, or which prohibits—
(A) the use of telephone facsimile machines or other electronic devices to send unsolicited advertisements;

(B) the use of automatic telephone dialing systems;

(C) the use of artificial or prerecorded voice messages; or

(D) the making of telephone solicitations.
[I guess California utilized (D). I love their laws related to privacy - good example to follow rather than reinvent the wheel - vp]

CallMeLateForSummerOctober 3, 2018 11:59 AM

@Nobody

CallerID might have been useful in the 1980's (I don't know because I've never had it) but certainly it is useless for identifying the calling number today. Spoofing it is simply too easy; it doesn't slow down or deter the bad guys.

In the early 1980's I took a call from "Ma Bell". The local business office wanted me to "sign up" for one month of free Touchtone dialing. I demurred. "Wouldn't you like the speed and convenience?" I said that dialing my rotary phone took only a few seconds, that I was fine with that, and that Touchtone service wasn't worth $15/mo to me. (Two or three months after that conversation, Touchtone service began working for pretty much everyone in my part of the woods. Imagine that!)

A similar scenario took place sometime later, on the subject of CallerID. Again the pitch, "Wouldn't you appreciate the convenience of knowing...?" You can guess my reply.

There was an old AT&T CallerID box in my stash. I must have thrown it out. Connected between the line and the phone; powered by a 9v battery. I'd like to hook it up now and see if CallerID magically started working, like Touchtone did. I really don't know.

stineOctober 3, 2018 12:41 PM

Has anyone gotten a phishing call in the last couple of days where they scammers have inadvertently added 1 to the area code, and the exchange, and the number so that a number like 770-442-8165 becomes 771-443-8166, which moves the source of the call from Atlanta, GA, to Veracruz, Mexico?

Some people are so stupid...

RatioOctober 3, 2018 7:00 PM

Except that Mexico isn’t part of the North American Numvering Plan. Some people…

maybeOctober 3, 2018 9:21 PM

@Nobody

So, the caller ID is like From: field in an email? And there is no way to have an analog of email headers for the call?
The answer to your question is yes with a qualifier. Without DKIM or similar your telco or any other ISP upstream of your inbox can (and can allow others to) freely modify those email headers.

Etienne MathieuOctober 4, 2018 9:26 AM

Sad to say, but I no longer answer my phone anymore. Everything goes to voicemail, and Google Phone emails me a voice transcript. If the transcript looks like it is a valid human (business or friend) I return the call almost immediately.

People that deal with me, know my antics.

Etienne MathieuOctober 4, 2018 9:37 AM

T-Mobile has a service that works very well. Many calls are identified as "Scam Likely" as they appear to be collecting bad numbers.

If you login to your account at T-Mobile you can select the option to drop all of these calls into the bitbucket. You no longer get them. This has been a real blessing for me. The phone is more useful as a tool.

It's not a cure all, I still get one or two calls a day from spam, but this is a lot less intrusive than the spam level without it.

Google Voice also has the same type of thing, only they go to a spam folder so you can see they are still trying, and sometimes catch a valid person who ended-up in spam.

When they dig up our civilization 1000 years from now, they will think of us as cavemen.

MBOctober 4, 2018 10:22 AM

"Where else does this advice hold true?"

If you get a password management application pushed on you or advertised to you, there are significant chances that it's a scam with the goal of getting access to your passwords; that it has some kind of backdoor.

If Facebook (or Yahoo or Google) advertises a new security system that requires you to hand over your phone number in exchange for increased security, chances are that security is not their main purpose. Instead, they're just trying to collect more information on you, for advertising purposes or to more reliably connect your username to a real-world identity, like in China.

This goes double if you get an annoying "nudge" in the form of a reminder at every login.

This may sound paranoid, but here it goes: same holds for those annoying mandatory periodic password change reminders, especially when you are not allowed to reuse any of your last ten passwords. Firstly, you'll pay greater attention to a website that forces you to do this and be more impressed by its importance; it's not just some random website now, it's the website that just forced you to waste 15 minutes on picking a password. The proponents' other hope is that most people, who are not good at remembering ore than 10 complicated passwords, will settle into an easy-to-guess system after a couple or two such reminders or install a password manager. After all, if password choosing gets sufficiently complicated and arcane, it "makes sense" to just use a password manager. And if you don't and settle into using an easy-to-guess password choosing system, then when it eventually gets broken it's not their fault (because they adopted state-of-the-art security measures, after all), it's your fault, which decreases their liability.

The previous does not apply when you: write your own foolproof password manager from scratch; are a Google executive, asking Google to implement 2-factor authentication for your own increased security; willingly change your unique passwords every 4 months following a good system, with no need for a reminder.

albertOctober 4, 2018 12:15 PM

Sometime ago I got a call from a number I didn't recognize. I check the number against one of those scam call listing sites, and it didn't show up. Just for the helluvit, I called the number. Some dude in Kentucky. He seemed totally surprised when I told him about it.

I've 'solved' the problem. I don't answer numbers that aren't in my contact list. If it's important, they'll leave a voice mail. Interestingly, I've gotten voice mail from two telemarketers. I tell my doctors not to call without leaving a message. The same for anyone or any company who requires a phone number.

. .. . .. --- ....

MeOctober 9, 2018 8:48 AM

My wife worked in a call center for a medical insurance company.

The protocol for leaving messages on returned calls was to say you had a message "from their insurance company," they were forbidden from using the companies name.

I know that would have set off my BS detector, but apparently it was a HIPPA violation to leave sensitive information like what insurance company the caller used on their machine.

At least that was the response my wife got when she mentioned how this policy made them seem like scammers.

AdamOctober 16, 2018 6:56 PM

In the same vein, an old adage: "good financial products are bought, not sold". As in, if someone seeks you out to sell you life insurance or a bond, it's probably a sub-par deal.

Nick RozanskiOctober 17, 2018 1:52 AM

>>> Where else does this advice hold true?

Here is another example:

My wife (by no means a gullible person) recently had problems at a cashpoint (ATM) when trying to withdraw some cash. She was immediately accosted by a very helpful person who happened to be standing nearby.

To cut a long story short - it was a scam, the machine had been tampered with, and the scammers managed to fraudulently withdraw £250 from our bank account by persuading my wife to re-insert her card and then briefly distracting her.

Thankfully our bank was very understanding, and refunded the money straightaway. Unfortunately the supermarket where the scammers were lurking were uninterested (it's not their loss) and declined to offer up their CCTV footage. The police said it was unlikely the scammers would be caught.


Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.