Voice Phishing Scams Are Getting More Clever

Security researcher Brian Krebs highlights several clever methods scammers are using to obtain your personal information. In one example, someone used a fully-automated voice to try and scam "a cybersecurity professional with more than 30 years of experience" by greeting him with a four-note AT&T jingle, "followed by a recorded voice saying AT&T was calling to prevent his phone service from being suspended for non-payment."

"It then prompted me to enter my security PIN to be connected to a billing department representative," Jon said. "My number was originally an AT&T number (it reports as Cingular Wireless) but I have been on T-Mobile for several years, so clearly a scam if I had any doubt. However, I suspect that the average Joe would fall for it." Krebs reports of another, more sophisticated scam attempted on Matt Haughey, the creator of the community Weblog MetaFilter and a writer at Slack: Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses. Actually, he got three calls from the same number in rapid succession. He ignored the first two, letting them both go to voicemail. But he picked up on the third call, thinking it must be something urgent and important. After all, his credit union had rarely ever called him. Haughey said he was greeted by a female voice who explained that the credit union had blocked two phony-looking charges in Ohio made to his debit/ATM card. She proceeded to then read him the last four digits of the card that was currently in his wallet. It checked out. Haughey told the lady that he would need a replacement card immediately because he was about to travel out of state to California. Without missing a beat, the caller said he could keep his card and that the credit union would simply block any future charges that weren't made in either Oregon or California.

This struck Haughey as a bit off. Why would the bank say they were freezing his card but then say they could keep it open for his upcoming trip? [...] The caller then read his entire home address to double check it was the correct destination to send a new card at the conclusion of his trip. Then the caller said she needed to verify his mother's maiden name. The voice in his head spoke out in protest again, but then banks had asked for this in the past. He provided it. Next she asked him to verify the three digit security code printed on the back of his card. Once more, the voice of caution in his brain was silenced: He'd given this code out previously in the few times he'd used his card to pay for something over the phone. Then she asked him for his current card PIN, just so she could apply that same PIN to the new card being mailed out, she assured him. Ding, ding, ding went the alarm bells in his head. Haughey hesitated, then asked the lady to repeat the question. When she did, he gave her the PIN, and she assured him she'd make sure his existing PIN also served as the PIN for his new card. Haughey said after hanging up he felt fairly certain the entire transaction was legitimate, although the part about her requesting the PIN kept nagging at him. Long story short, two fradulent charges were made on his account totaling $3,400. "People I've talked to about this say there's no way they'd fall for that, but when someone from a trustworthy number calls, says they're from your small town bank, and sounds incredibly professional, you'd fall for it, too," Haughey said.

Whoa.

[msauve]

If they're calling you, they don't have any reason to ask you to provide any confidential info to verify you are who they called. If they ask, get a name and extension, and call them back via a published number.

Re:Whoa.

[PPH]

If they ask, get a name and extension,

Always this. They can spoof the legitimate bank customer service number. So don't assume the caller ID is correct. Always tell them that you will call them back at a convenient time.

Re:Whoa.

[ShanghaiBill]

They can spoof the legitimate bank customer service number.

But only because the telecom companies let them, and the government has done nothing to ban the practice.

Spoofing should be illegal unless the company doing the spoofing owns both numbers.

That this is mostly an American+Canadian problem. The practice is illegal in most other countries.

Re:Whoa.

[ShanghaiBill]

making things illegal won't stop criminals.

We don't need to stop the criminals. We only need to stop the telecoms from enabling them.

Re:Whoa.

[ShanghaiBill]

backwards compatibility be damned.

What is the legitimate use case for 3rd party number spoofing?

it's 2018 why haven't we solved the SPAM problem yet????

Stupid analogy. Spam is a problem worldwide. There is no obvious solution.

3d party number spoofing is an America+Canada only problem. The solution is obvious, and most of the world has already done it.

Re:Whoa.

[arth1]

So is fraud; making things illegal won't stop criminals.

Actually, it will, in that you can arrest, jail, prosecute and imprison them once it's illegal, but if it's legal, they can continue at will.

Re: Whoa.

[ShanghaiBill]

A. Number portability. I can no longer be certain that an AT&T assigned number is still with AT&T.

Why does this require 3rd party number spoofing?

B. Many companies assign the main corporate number to all outbound calls. This is a feature that shouldn't be broken.

C. VOIP service. I want calls from my cell and voip to be transparent. It's also nice to be able to call as, so I can call as me or as my corporate phone number from one phone.

Neither of these require 3rd party number spoofing.

Spoofing is fine if the same company owns both numbers. That is legal almost everywhere.

Re:Whoa.

[ShanghaiBill]

So there are legitimate reasons to allow caller ID spoofing

Of course there are, and you listed several, but that WAS NOT THE QUESTION,

Let me repeat: Is there any legitimate use case for THIRD PARTY phone number spoofing?

This means you call from a number that you own and control, and you make it look like it is coming from a number that you do NOT own or control, and do not have permission to use. This is obviously useful to criminals. Is it needed by anyone else?

Re:Whoa.

[jpaine619]

I gotta agree with the GP.. If the telecoms don't permit third party spoofing, it wouldn't happen.. They control the network... They can enable/disable it...

If it doesn't occur in Europe, then they have apparently figured out how to disable it..

First party spoofing is fine.. As many have pointed out, it's nice that all outbound calls from a single company have the same Caller ID.

On the other hand, I shouldn't be able to show "Joe's Fish Shack" as the caller ID from a call on my home phone if I have no connection to Joe's Fish Shack. The technology to permit this should not be in place.. Telecoms should assign the Caller ID.. Not the asshole making the phone call.

Re:Whoa.

[ShanghaiBill]

The only fix for this would completely break backwards compatibility

Nonsense. An obvious solution would be to ban all American companies from 3P spoofing, and ban them from connecting to foreign networks that allow it. Give them six months to implement it.

During those six months, any country that wants to continue to connect to America's phone system (i.e. all expect North Korea) would scramble to fix their own phone systems. Most would need to do nothing, since 3P spoofing is ALREADY ILLEGAL. In India, 3P spoofing is already illegal for domestic calls, but allowed for international calls, so it would be only a minor change.

Re:Whoa.

[Ichijo]

Why can't you route your call through your office in order to avoid the need to spoof your number? That would be like a VPN for telephone calls.

An alternative would be something similar to SPF so the recipient knows that you own both numbers (cell+office) and displays your office number when they receive a call from your cell phone.

Re:Whoa.

[Calydor]

Contract signed by both number holders.

Next fringe case?

Re:Whoa.

[fgouget]

If it doesn't occur in Europe, then they have apparently figured out how to disable it..

Caller id spoofing happens just the same in Europe. A number of calls are placed from abroad and spoof local numbers. The phone system is a worldwide system so the solution must be deployed worldwide for it to work.

Re: Whoa.

[Sique]

Third party number spoofing is the effect, not the cause.

You can spoof any number by sending a user provided caller ID. The only reason the other party doesn't see the caller ID you provided is because the provider strips it from your signalling. If you are behind the phone switch of your company, the provider has no way to determine if the extension your phone switch signals to PSTN is correct. Depending on your trunk configuration, the provider thus either accepts the signalling, or strips it and replaces it with the trunk dial-in number (e.g. the number of the company's attendant switch board), so no callback will get through to the extensions.

If you are a company with several number blocks (e.g. several locations with their own trunks), and the company wants to show a central dial-in number for callbacks, the provider has a problem. It doesn't necessarily know all the locations of your company, because some might be with a different provider. Or the company has for redundancy reasons bought connectivity with different providers, with separate trunk numbers, but wants always their main number of the first trunk as the caller ID.

In this case, the company gets a "CLIP no screening" contract, where it is the sole responsibility of the company to signal the right caller ID, and the provider takes it without further checks, as it has incomplete information anyway and wouldn't be able to determine if the caller ID provided is valid or not. Only if there are complaints about wrong caller IDs coming from the trunk, the provider will cancel the "CLIP no screening" and no longer trust the information, strip it and replace it with the trunk number (or cancel the contract alltogether).

But if the calls with the spoofed number are crossing several providers, it will take a long time until the rogue trunk is determined that is using the wrong caller ID, because at the exchange points, the providers have to take the information of the call at face value, not really able to check if they are valid or not.

Haughey is a dumb-ass.

[fahrbot-bot]

So "alarm bells" went off in his head four times and he kept giving out his information? He should have said he would call his bank branch directly or the 800 number listed on the back of his card and hung up.

The "bank" called him, at his phone number, so he doesn't need to confirm anything - the bank needs to confirm themselves. Both of my banks say they will never ask for personal information if they contact me, not only for my safety but because -- spoiler alert -- they already have my information. (I, however, need to provide my information if I call them to prove that I am me.) In addition, why would they ask him to confirm information that won't be changed?

Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses.

Caller ID can be spoofed. Never trust it.

"People I've talked to about this say there's no way they'd fall for that, but when someone from a trustworthy number calls, says they're from your small town bank, and sounds incredibly professional, you'd fall for it, too," Haughey said.

No. Just no.

Re:Haughey is a dumb-ass.

[MachineShedFred]

More than that, when they asked for his PIN, twice, he should have hung up then and there. Banks never have, and never will ask for your PIN. It is always set either by yourself at a bank branch keying it into a terminal, or when you activate the card by dialing the number on the card sent to you at the time of activation.

The other stuff is semi-legit if you include all practices that banks have used since the beginning of time, but many of them are not in use anymore. Example: mother's maiden name is easily gained information in the age of The Book of Faces.

Re: Haughey is a dumb-ass.

[olsmeister]

There is just so much about the story that doesn't make sense in hindsight, but the advantage that the scammers have is that they've called you, given you some alarming news, and are offering to fix it for you. People probably are so upset hearing that their card is being improperly used that they aren't slowing down to think about what is being asked them.
The news needs to be spread far and wide that you always just thank them for the information and inform them you'll be calling their fraud line.

Re: Haughey is a dumb-ass.

[Ostracus]

My fraud line called ME, and said "did you make these charges"? No. They denied them, and issued me a new card. No other verify needed.

I can vouch for this

[Applehu+Akbar]

The creepiest voice phish I ever got was the call from my little brother, exactly his voice and intonation pattern, telling us he was in jail in Mexico and needed money. The only way I knew it was a scam, besides the Mexican authorities suddenly accepting payment in Bitcoin, was knowing that he had been sick for years and unable to travel.

Re:I can vouch for this

[toejam13]

With voice-mimicking software getting better and better, I imagine that these sorts of spear-fishing scams will become more prevalent, especially against the elderly.

Scour social media for videos of identifiable individuals, find all familial elder links, train the software, and then make a call in that individual's voice using their number in the caller ID field about a phony issue that asks them to send money.

Re:I can vouch for this

[Applehu+Akbar]

I'm guessing that they phone-scraped voice from his job, which was buyer for a hinge manufacturing company in LA. He had to spend a lot of time on the phone.

Basic phone security

[registrations_suck]

Donâ(TM)t call me, I will call you.

If you get a call from ANYBODY claiming whatever, hang up and call that supposed somebody at a known good number. Every time.

Easy Fix

[nehumanuscrede]

Start holding the Telecoms responsible for failing to fix the ability to spoof Caller ID.

They start footing the bills for fraudulent shit like this they'll have that shit fixed in no time.

Re:Caller ID?

[arth1]

In his 30 years of being "a cybersecurity professional" he never learned that caller ID is trivially faked?

Anyone using "cyber" as part of their description are fake themselves.

Re:If they call my cell phone...

[Fly+Swatter]

Your situation will be good until the old copper develops an intermittent issue somewhere off your property that they won't fix because 'copper is deprecated, so we will convert your line to fiber at no cost to you'.

Re:Caller ID?

[Ol+Olsoc]

In his 30 years of being "a cybersecurity professional" he never learned that caller ID is trivially faked?

Anyone using "cyber" as part of their description are fake themselves.

What about us cyber-punks, you insensitive clod?

Never tell anybody anything

[petes_PoV]

sounds incredibly professional, you'd fall for it, too," Haughey said.

Errr, no.

The first principle of phone banking is to never give out personal information to anyone who calls you. Never.
If you feel there is an issue that does need information to be passed, hang up and phone them on the public number. Just make sure you have actually hung up, there is a long-standing scam where the thieves actually recommend you call the bank, yourself. They then make the sound of hanging up but stay on the line. When you dial the bank's number, you are still actually talking to the scammers.

don't give out private info to a cold call!

[roc97007]

Don't EVER give out private information to a cold call. Never, for any reason. If there's a problem, and it's urgent, tell them you'll call them back on a known number. (Not a number they provide./duh) Legitimate callers will agree to this. Non-legitimate callers will try to steer you to a different number or insist that you must take care of this now, on this call. Don't fall for it.

Let me repeat this for the cognitively impared: If they call YOU, do NOT give out private information. If you call THEM on a legitimate number, it's a different story.

Let's be safe out there.